Kerberos authentication not working after IIS/SharePoint rebuild.

What exactly is meant by "owning" a service? Is that being the identity of the application pool?

That's exactly what it is. It's the identity associated with the application pool. That identity can be the local system (ApplicationPoolIdentity, LocalSystem, etc.) or it can be an actual AD account that you create. If you create an account to use as the app pool identity, you need to of course create an arbitrary SPN for that account, and then specify that SPN as the SPN Pattern in the APM Kerberos SSO. This actually creates an interesting artifact. When you do Kerberos with a browser, the browser derives the SPN from the FQDN in the URL and you have no other control over that. If the FQDN is different, then the SPN will be different. But since you're statically (or dynamically) deriving a SPN in the SSO, that SPN can be used for pretty much anything. That same SPN can be used by everything APM Kerberos touches, regardless of the service's actual name.