We have found the solution. Eventually, it was the value of privatePortalURL.
There is a small note at the documentation of configuring a highly available portal:
If the privatePortalURL is different from the WebContextURL, do not set the X-Forwarded-Host header for this URL.
I used the same value for the two parameters privatePortalURL and WebContextURL. We have also configure our portal for IWA.
The privatePortalURL is not only used for communication between the federated ArcGIS Server and the portal, but also between the portal machines that participate in the portal site.
When the primary machine restarted, then the internal communication was happening via the public load balancer and that was triggering a windows authentication.
If IWA is configured, then the privatePortalURL must have a different value than the WebContextURL.
I have unset temporarily the privatePortalURL and everything works fine. We have asked from our system administrator a load balancer address which goes through the 7443 port, bypassing the windows authentication.