For the IWA use case, the Authentication is done by the IIS server. The Web Agent and Policy Server "trust" the IIS Authentication. After the Authentication process, the Web Agent and the Policy Server need to authorize the User to access the request. And as such, the Policy Server needs to find the User in the User Store. If the Policy Server doesn't find the User in the User Store, then the Policy Server cannot authorize the User. You'll see "Authentication Attempt" failed errors in smaccess.log. As such, the Policy Server will request the Web Agent to authenticate the User again. As the authentication is done by the IIS server, then the transaction enters in a loop. The Web Agent will trust the successful authentication from the IIS Server and the Web Agent will request the Policy Server to authorize the User.
Depending on the brower, this loop will continue until a number of times after which the browser will stop processing.