We are working on a very similar problem. The Kerberos Configuration tool is also showing two delete actions in the script it generates. My domain admins are not willing to execute them without more information. The script has the two adds:
MSSQLSvc/servername.domainname to account domainname\accountname
MSSQLSvc/servername.domainname:1433 to account domainname\accountname
Then two deletes:
MSSQLSvc/servername.domainname from account domainname\servername$
MSSQLSvc/servername.domainname:1433 from account domainname\servername$
Their concern is that the deletions may affect other servers which also use that domain account to run SQL service. We opened a support issue with Microsoft and they couldn't tell us that the deletes would not affect other servers.
Does anyone know what the entries are with servername appended by $?
When I install SQL Server, remote windows authentication always works and I normally use the domain account to run the service. I am not a domain admin and I have not had to get them to run adds after an install. So now I am not sure why that works from the install but not if we change the account later.
UPDATE. We never had SPN registration in our build plans hence all of our servers use NTLM. Turns out changing the service account to a domain account and not manually registering the SPN looks to have broken NTLM for remote connections. From what I can gather since connections always try kerberos first and take NTLM when they don't find the SPN everything is usually fine. When the connection finds a invalid SPN then depending on the application NTLM can fail as well. This was a single purpose SQL Server to host our monitoring repositories. Our work around was to change the one app which connected remotely to use SQL authentication.