After spending hours and hours research, this is what I found:
1. A server name can only be applied to one user.
Run SPN -L username to check what servers have been set to the user. Make sure it contains short and long name
2. If there is Kerberos turned on the server, the application pool must run under the SPN user, otherwise you will get Event ID 529 Kerberos error;
3. Use kerbtray to see if Kerberos ticket is generated on the client machine, you should see the server name in the Ticket List.

Here is the link to MS support