WinRM should register it's proper SPN
The WinRM service should register the HTTP/computername:5985 and HTTP/computername.fqdn:5985 (or configured port) SPNs so that clients can locate the proper Kerberos principal to authenticate against. Currently anything that uses Kerberos over http:80 can claim its valid SPN and break Kerberos authentication for WinRM.
I wish this one would get approved. It is a huge issue in an enterprise of 11,000 servers.
Thank you so much for raising this one.
But the strange this is that there is already a WSMAN/* SPN which should be used instead. Then there will be no conflict with the HTTP ones.