The user account is given a token which in effect is sort of a hash of the details required to login.
The account goes to SQL and says hello here is my token
SQL then goes to the domain controllers and says, Hi, such a user with this token wants to connect, is the information they provided me correct?
If AD says yes the information matches, you login, if not you dont.