when you use IWA, authentication is done by IIS and the browser (as the browser does not pass the domain name, IIS is configured with a default). the asp host module will create a WindowsPrincipal from the usertoken passed by IIS. the core module will then pass the WindowsPrincipal to asp.net core. the AspNetCore core authentication middleware will use the passed WindowsPrincipal for authentication. This is done on every request. The WindowsPrincipal is the supplier of roles/claims see:
https://learn.microsoft.com/en-us/dotnet/api/system.security.principal.windowsprincipal?view=net-6.0
in the case of hosting on linux/macOS, asp.net core needs to do the windows authentication itself. as directory services and WindowsPrincipal is not supported on linux/macOS, to valid the username/password ldap is used. you may also load roles via ldap, but this may not be quick and is optional, thus its a separate configuration option. adding EnableLdap has no effect is hosted by IIS.