The v2.0 SecurityException is chock full of debugging goodness -- for trusted code that is.  In some cases you might not see all the extended error information.  The reason is that before writing extra security information into the output of ToString(), the SecurityException will demand ControlEvidence and ControlPolicy.  If that demand fails, it omits:

  • First failing permission
  • Demanded permission
  • Granted set
  • Refused set
  • Denied set
  • PermitOnly set
  • Failing assembly
  • Failing method
  • URL

This might come up if you're hosting partial trust code in a sandboxed domain, and at the domain boundary you catch and log exceptions.  In your log, the SecurityException probably won't have the information needed to help track down the real issue.  In that case, you'll need to have FullTrust code do the ToString operation, and also make sure to Assert ControlEvidence and ControlPolicy so that the demand does not fail when it hits the partial trust domain boundary.  Of course, you'll want to make sure that the partial trust code doesn't get this string back and cannot read from the log file.