IWA is a general name for NTLM authentication.
NTLM is a connection oriented three phase authentication scheme. The authentication flow goes like this:
Phase 1
Phase 2
Phase 3
All three phases will be logged in the HTTP Access Log. If the browser/web client makes another request on the same TCP connection as the request on the last phase, the request will be served without authentication challenge because that TCP connection is considered to be authorized, so subsequent requests on that TCP connection will only show once in the access log. If surrogates are being used (cookie or IP) then the access log will only show the challenge once until the surrogate TTL has passed. Essentially, the user is only authenticated once every TTL interval.