Implement GSS_IAKERB_MECHANISM support for Kerberos SPNEGO

Description

In some environments (misconfigured DNS in particular), client browsers cannot negotiate with the Kerberos KDC directly, and so ask Gitlab to act as an intermediary to the KDC for them. This is the GSS_IAKERB_MECHANISM.

Proposal

Add GSS_IAKERB_MECHANISM support to GitLab so these clients work transparently.

This isn't just a case of working around misconfigurations. I expect this is also useful in cases where the KDC is genuinely inaccessible to the browser - perhaps it's kept behind a firewall and users are working remotely. As long as the GitLab server has access to the KDC and supports IAKERB, these clients should be able to authenticate successfully.

Links / references

• https://gitlab.com/gitlab-org/gitlab-ee/issues/2266#note_35290596
• https://k5wiki.kerberos.org/wiki/Projects/IAKERB

Feature checklist

Make sure these are completed before closing the issue, with a link to the relevant commit.

• Feature assurance
• Documentation
• Added to features.yml

/cc @DouweM @stanhu @chaase