Default to LSA when TGT in LSA is inaccessible

When UAC is enabled and a domain user with Administrator privileges
logs in, the TGT is inaccessible.  Access to the TGT in a
UAC-restricted session may allow a non-elevated user to bypass the
UAC.  In a UAC-restricted session, ms2mit copies the current tickets
from the LSA ccache to the API ccache except the TGT, effectively
preventing a user session from getting additional service tickets
while appearing, for some purposes, to have a usable ccache.

Another bug is that ms2mit always copies from the LSA ccache to the
default ccache, even if the default ccache is itself the LSA ccache.

New behavior:

* If the TGT is accessible in the LSA ccache, copy the LSA ccache to
  the API ccache.

* Set the registry key for the default ccname to "API:" if the copy
  occurred, or to "MSLSA:" if it didn't occur.

[tlyu@mit.edu: edit commit message]

(cherry picked from commit 33b862799efa65b16e2acd1510c84d9f1ded2cbb)

https://github.com/krb5/krb5/commit/e2ab5a8d7b5ec06dadadcf844132c2cc496c9bfa
Author: Sarah Day <sarahday@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: e2ab5a8d7b5ec06dadadcf844132c2cc496c9bfa
Branch: krb5-1.14
 src/windows/ms2mit/ms2mit.c |   99 ++++++++++++++++++++++++++++++++++---------
 1 files changed, 79 insertions(+), 20 deletions(-)