Ah, I see (and it was super helpful but please remove the picture as it contains your real server names and domains in it).
So the instructions would assume that the service is running under the LocalSystem account, which is why you would use HOSTNAME$ as the account to attach to the spn. In your case, running under a dedicated Service Account, you’d need to configure the SPNs a bit differently.
First you need to remove the iem/hostname and iem/hostname.domainname SPNs from the HOSTNAME$ user account, which you should be able to do with the ‘setspn’ command. The service principal names have to be unique within the Domain, and even with the right permission your server won’t be able to update the service account’s SPN if there is an existing duplicate in the domain.
Then, you could either wait for your AD team to update permissions on the service account, or create the mapping manually. It’s been a while since I’ve gone through this, but my recollection is you should create the SPNs manually via
setspn -U -S iem/HOSTNAME domain\service-account-name
setspn -U -S iem/hostname.domainname.com domain\service-account-name
For reference, this is updating the user object for the “service-account-name” user account to add the “iem” Service (on your host) to that account. Which means that when your client requests a Kerberos ticket for the “iem” service on HOSTNAME, you receive a ticket which is encrypted with a key that the “service-account-name” (running the BigFix Server) can decrypt to authenticate you.
(For a time, “IEM” was a brand name for BigFix, “IBM Endpoint Manager”)