...
If the policy denies access, the failed attempt is logged and an error event named "ImpersonationViolation" terminates the entire request. This is an event you can configure whatever error handling you prefer in response to (see ErrorHandlingConfiguration), but for new installs it's defined to be a "local error". Upgraded systems will need to add that event to the map of local events (compare your copy of conf/errors.xml to the one in the dist directory).
If the policy allows access, the flow will:
...