IWA is a general name for NTLM authentication.
NTLM is a connection oriented three phase authentication scheme. The authentication flow goes like this:
- The web client (browser) makes an HTTP request to the proxy
- The proxy responds that authentication is required and that NTLM authentication is supported
- The client then sends the same HTTP request with credentials identifying machine and user
- The proxy responds with an NTLM challenge
- The client sends the request again with the challenge response
- If the challenge response is good, then the proxy serves the web page.
All three phases will be logged in the HTTP Access Log. If the browser/web client makes another request on the same TCP connection as the request on the last phase, the request will be served without authentication challenge because that TCP connection is considered to be authorized, so subsequent requests on that TCP connection will only show once in the access log. If surrogates are being used (cookie or IP) then the access log will only show the challenge once until the surrogate TTL has passed. Essentially, the user is only authenticated once every TTL interval.