Browser kerberos authentication
On a Windows host, which is a member of AD domain and authentication is Kerberos-based, how does a browser get TGT and Service ticket to access a specific service? I want to understand what APIs it uses at the implementation level.