I would be explaining it here, however, I think the best information source in this case is still Microsoft itself:
Microsoft Developer Network - Service Principal Name
I try to explain it as simple as possible :)
It enables you to use the Windows Authentication method using the mutual Kerberos authentiction (See Microsoft TechNet: What is Kerberos Authentication?)
You set a Service Principal Name (SPN) on a specific server for a service account that is responsible for managing this service to allow the handling of permitting the mutual Kerberos authentication.
Therefore, to use the Kerberos authentication, it is required for the Windows security to determine the (user-)account that a service is using. This is realized by registering the Service Principal Name for the server and the (user-)account which the service is using.
Before you begin you need an account that has Domain Admin permissions or has the Validated write to service principal names permission delegated.
setspn -S http/servername serviceaccount
setspn -S https/servername serviceaccount
Where servername is the fully qualified domain name and serviceaccount is the account running the Trados GroupShare services. This is an example of how the syntax could look like:
setspn -S http/gsserver.sdl.com global\adminuser