WinRM should register it's proper SPN
The WinRM service should register the HTTP/computername:5985 and HTTP/computername.fqdn:5985 (or configured port) SPNs so that clients can locate the proper Kerberos principal to authenticate against. Currently anything that uses Kerberos over http:80 can claim its valid SPN and break Kerberos authentication for WinRM.
Gustavo Verduzco commented
The main problem is that WinRM/WSMan are HTTP based protocols, so, it makes sense that the HTTP SPN is used. But I totally understand your point, the main issue comes when the HTTP SPN is not registered to the computer account AD object and is registered to a group managed service account or a service account, that's where Kerberos authentication will break. If the HTTP SPN is registered to the computer account AD object, then there would be no issue at all.
Andrew Lomakin commented
WinRM should indeed use WSMAN SPN for all connections rather than HTTP SPN
I wish this one would get approved. It is a huge issue in an enterprise of 11,000 servers.
Thank you so much for raising this one.
But the strange this is that there is already a WSMAN/* SPN which should be used instead. Then there will be no conflict with the HTTP ones.