When launching the shell with a username/password specified, either by way of a mongodb:// uri or by pass -user/-password parameters, we see two authentications performed.

The first is the result of a call to MongoURI::connect() which contains a call to DBClientBase::auth().
The second is via db.auth() in the Javascript layer.

This results in multiple round-trips for the extra auth and in the case of Enterprise users, multiple "authenticate" entries in the audit log.