[krbdev.mit.edu #8021] SPNEGO clients should not try IAKERB by default

[Greg Hudson via RT]

We implemented IAKERB in 1.9.  SPNEGO automatically tries all mechanisms 
except for SPNEGO itself, so it tries IAKERB after regular krb5.  In 
practice, this is rarely useful and often serves to complicate scenarios 
which would otherwise be simple.  For instance, if the user has credentials 
but we cannot get a service ticket for the target host, we try IAKERB 
instead of failing locally; most of the time this is unnecessary work and 
obscures the resulting error message.