Support membership tests in SSPI with special prefix form

CREATE USER u IDENTIFIED WITH gssapi AS "GROUP:<group_name>"
or
CREATE USER u IDENTIFIED WITH gssapi AS "SID:<sid>"

If user is created as one of the above, after successful SSPI handshake,
this will happen

1) If "GROUP:" prefix is used, then <group_name> is translated to SID
using LookupAccountName() API

2) SSPI user is checked for  SID membership with
ImpersonateSecurityContext() and CheckMembership() APIs

Note, that it <group>/<sid> do not need strictly to refer to an actual
group.
Identity test is also supported, e.g  "GROUP:<users_name>" or
"SID:<user_sid>" will work too.


Well-known SIDs (in SDDL syntax) appear to be supported such as
"SID:WD" will refer to World/Everyone (== "SID:S-1-1-0")
or
"SID:BA" will refer to Administrators (== "SID:S-1-5-32-544")

In UAC environments, for successful checks against Administrators group,
elevation(Run As Administrator) might be necessary, since CheckMembership()
needs groups to be marked as enabled in the token group list.