The user account is given a token which in effect is sort of a hash of the details required to login.

The account goes to SQL and says hello here is my token

SQL then goes to the domain controllers and says, Hi, such a user with this token wants to connect, is the information they provided me correct?

If AD says yes the information matches, you login, if not you dont.