Package attempts to authenticate every HTTP request, even if Kerberos is not supported

[sean-r-williams]

The title probably seems antithetical to the purpose of this package, so bear with me for a moment. 😄

When adding this package's Transport/RoundTripper, it immediately sets a Kerberos token on all requests that pass through it.

This causes two problems:

• If a host does not [currently] support Kerberos, the package will attempt to generate a Kerberos token anyways
• If the client has composed multiple auth-related transports/RoundTrippers together, stamping tokens on every request means other transports can't authenticate.

In my case, I'm writing a client for a service that's currently NTLM-only (WWW-Authenticate: NTLM - yeah, I know, it's old) with plans to enable Kerberos auth in the next couple of months. To make my life easier, my plan for the client was to compose an NTLMSSP transport (similar implementation to Azure/go-ntlmssp's Negotiator), with this as the inner transport.

By comparison, Azure/go-ntlmssp takes a more conservative [multi-step] approach to authentication - requests are tried in the following order:

• As-is, from the parent transport
• Without any authentication, (if and only if the previous request had any)
• With an NTLMSSP_NEGOTIATE message, if either of the previous two requests declared WWW-Authenticate: NTLM
• With an NTLMSSP_AUTH message, if the previous message provided an NTLMSSP_CHALLENGE message

Not all of this is directly applicable to SPNEGO, but this does have the benefit of:

• Not munging requests unless absolutely necessary (thus allowing other auth methods from outer transports to work)
• Not performing unnecessary authentication work against a service that doesn't accept Negotiate auth

Happy to PR something to adjust this if desired - this should also be something that can be configured (maybe a bool flag like ForceAuthentication defaulted to false, like #5 did)