Kerberoasting becomes high priority when SPNs are attached to privileged accounts, service ownership is unclear, or password rotation is inconsistent. Those conditions expand the blast radius of a successful crack and make escalation more likely. If your inventory cannot explain why an SPN exists, treat it as a security issue.
Why This Matters for Security Teams
Kerberoasting crosses into high-priority territory when the service principal is more than a technical account and starts behaving like a privilege bridge. If an SPN is tied to a domain admin, backup operator, or application owner with broad RBAC, a cracked password can become a direct path to lateral movement. Current guidance suggests treating that as an identity risk, not a narrow Windows authentication issue. The same logic applies in NHI programmes more broadly, where unclear ownership and weak rotation create avoidable exposure, as reflected in Top 10 NHI Issues and the NIST Cybersecurity Framework 2.0. The practical issue is blast radius: one weak service account can expose a cluster of systems, secrets, and delegated rights. In practice, many security teams encounter Kerberoasting only after privilege abuse has already begun, rather than through intentional service-account governance.
How It Works in Practice
The risk becomes urgent when three conditions align: privileged SPNs, weak or stale passwords, and poor inventory hygiene. A service account with an SPN is Kerberoastable because its ticket can be requested and cracked offline, so the attacker does not need repeated online guesses. That means the defensive priority is to reduce what the password unlocks and shorten how long it remains valid. Use Ultimate Guide to NHIs — Key Challenges and Risks to anchor your service-account review process, and pair it with the access-governance expectations in NIST Cybersecurity Framework 2.0. Practically, teams should:
- Remove unnecessary SPNs from privileged or interactive accounts.
- Prefer managed service accounts or JIT-issued secrets over long-lived passwords where the platform allows it.
- Assign each service account a named owner and a documented business purpose.
- Rotate passwords on a fixed schedule, and more often after any privilege change.
- Monitor for abnormal ticket requests, especially for accounts that should be quiet.
The 2024 ESG report found that 72% of organisations have experienced or suspect a breach of non-human identities, which is a reminder that identity gaps often show up as repeated incidents rather than one-off events. For service accounts, that is where weak ownership and overprivileged SPNs turn a crackable password into a material IAM event. These controls tend to break down in legacy Active Directory estates where application owners cannot replace hard-coded credentials quickly because the service dependency map is incomplete.
Common Variations and Edge Cases
Tighter service-account control often increases operational overhead, requiring organisations to balance exposure reduction against application stability. The hardest cases are legacy apps, vendor-managed platforms, and batch jobs that still depend on static credentials. Best practice is evolving here: there is no universal standard for every migration path, but current guidance favours reducing privilege first, then shortening credential lifetime, then moving toward JIT or workload identity where feasible. That approach aligns with the broader NHI risk themes in OWASP NHI Top 10 and the operational challenges captured in Ultimate Guide to NHIs — Why NHI Security Matters Now. Edge cases also include service accounts that are not privileged on paper but can reach secrets stores, deployment pipelines, or data-export jobs. Those are still high priority if compromise would reveal reusable tokens or let an attacker chain access into more sensitive systems. In practice, the question is not whether the account is “admin,” but whether cracking it would give an attacker a foothold that meaningfully changes the incident response picture.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses weak rotation and overexposed NHI credentials tied to SPNs. |
| NIST CSF 2.0 | PR.AC-4 | Maps to managing access permissions and limiting blast radius. |
| NIST AI RMF | Supports governance and accountability for identity risks in automated systems. |
Apply least privilege to service accounts and review entitlements after every change.
