I will answer myself. I got stuck because one Windows Authentication How-To is not enough. In addition to what is described in it, you also need to write in $CATALINA_HOME/<app-base>/<app-name>/WEB-INF/web.xml

<security-constraint>
    <display-name>All users</display-name>
    <web-resource-collection>
      <web-resource-name>All requests</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
  </security-constraint>

  <security-role>
    <description>All users</description>
    <role-name>*</role-name>
  </security-role>

  <login-config>
    <auth-method>SPNEGO</auth-method>
  </login-config>

because without authorization there will be no authentication. Who would have guessed. Valve, by the way, fits into $CATALINA_HOME/<app-base>/<app-name>/META-INF/context.xml in an extremely elementary form
But that's not all. We also need a source of data about users - Realm. I added it to $CATALINA_HOME/conf/server.xml in the host section

<Realm className="org.apache.catalina.realm.JNDIRealm"
               connectionURL="ldap://pdc.domain.local:389"
               alternateURL="ldap://bdc.domain.local:389"
               connectionName="CN=tomcat,OU=Services,DC=domain,DC=local"
               connectionPassword="qwerty"
               referrals="follow"
               userBase="OU=someou,DC=domain,DC=local"
               userSearch="(sAMAccountName={0})"
               userSubtree="true"
               roleBase="OU=Security Groups,DC=domain,DC=local"
               roleName="name"
               roleSubtree="true"
               roleSearch="(member={0})" />

Then, however, I encountered the categorical unwillingness of the 7th tomcat to communicate with the 2012th domain controllers. So far I had to replace SPNEGO with FORM. But overall, the recipe works.