Let me first give you answer to your first question about how it works in background.
When anyone logs in to portal, Qlik Sends the credentials to AD and then AD checks the Authentication of that user. If authenticated, AD sends a positive reply to Qlik and then Qlik Checks the Qlik License against that user. Depending on license Qlik tries to open the application and while opening the application, Qlik Checks the Section Access script for row level Authentication.
You can go through the attached document for more detail.
Now can you feed us with some information like.
1. What version and SR of QlikView you are using.
2. Did you do the "All the required setting for Section Access" like "Initial Data Reduction Based on Section Access".
If possible post a sample script.