Does Waffle get the Kerberos ticket from Windows?
Waffle uses the Windows SSPI, which performs all operations involving Kerberos tickets on client's behalf. The client never sees the ticket.
How does the server validate the ticket of the client?
This is a basic Kerberos question. The token sent to the server is encrypted by server's secret key, which guarantees that the token was created by the Ticket Granting Service, which authenticated the client.
Can I absolutely trust the user groups which I get after the do-loop from the server context?
Yes, the are retrieved from the security token. This is a Windows-specific extension of the MIT Kerberos protocol.