Cross realm Kerberos and SPN

Hello, I setup 2 domains with a bi-directional trusted relationship: domain1.com and domain2.com .

When I try to authenticate using user@domain1.com accessing resource.domain2.com (im using  winrm to test)

Get-WSManInstance  wmi/root/cimv2/* -Enumerate -Filter "SELECT * FROM Win32_ComputerSystem" -ComputerName resource.domain2.com -Authentication Kerberos -Credential user@domain1.com

Im getting following error. When I try to do that using user@domain2.com, everything is ok

Get-WSManInstance : An unknown security error occurred.
At line:1 char:1+ Get-WSManInstance  wmi/root/cimv2/* -Enumerate -Filter "SELECT * FROM ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : InvalidOperation: (:) [Get-WSManInstance], COMException+ FullyQualifiedErrorId : Exception,Microsoft.WSMan.Management.GetWSManInstanceCommand

Get-WSManInstance : <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150858909"
Machine="kitchen-unit"><f:Message>WinRM cannot process the request. The following error with errorcode 0x80090322
occurred while using Kerberos authentication: An unknown security error occurred.
 Possible causes are:
  -The user name or password specified are invalid.
  -Kerberos is used when no authentication method and no user name are specified.
  -Kerberos accepts domain user names, but not local user names.
  -The Service Principal Name (SPN) for the remote computer name and port does not exist.
  -The client and remote computers are in different domains and there is no trust between the two domains.
 After checking for the above issues, try the following:
  -Check the Event Viewer for events related to authentication.
  -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
 Note that computers in the TrustedHosts list might not be authenticated.
   -For more information about WinRM configuration, run the following command: winrm help config.</f:Message></f:WSManFault>
At line:1 char:1+ Get-WSManInstance  wmi/root/cimv2/* -Enumerate -Filter "SELECT * FROM ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo          : InvalidOperation: (wmi/root/cimv2/*:Uri) [Get-WSManInstance], InvalidOperationException+ FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.GetWSManInstanceCommand

I think that something wrong with SPNs, but I have not found how SPNs should be configured for cross-realm authentification  

Should I create SPN's on Computer Account withing domain1.com?