Expectation concerning UserIdentityToken, wrong credentials and support for anonymous access|OPC UA Implementation: Stacks, Tools, and Samples|Forum|OPC Foundation

Referring to the Spec Part 4 - Services concerning the UserIdentityToken (and also Part 2)

"The credentials of the user associated with the Client application. The Server uses these credentials to determine whether the Client should be allowed to activate a Session and what resources the Client has access to during this Session.
...
Null or empty user token shall always be interpreted as anonymous.
"

-> What is the expected behaviour of a server, if it supports Anonymous Access and the Client comes in with wrong credentials?

For my understanding, the server resp. the Session Manager is expected to derive the UserIdentityToken anyway and to trigger an authentication flow, if the client provides these credentials; and then the server denies the right to activate a session on failing auth, even if anonymous access is allowed.
In order to really do an anonymous connect the credentials MUST be empty or missing.

Is that correct, wrong or just unspecified?