Service accounts create exposure because they are often long-lived, lightly reviewed, and tied to SPNs that allow ticket requests from any valid domain user. If the password is weak enough, the attacker can crack the ticket offline without touching the service. That turns neglected account lifecycle into an escalation path.
Why This Matters for Security Teams
service account are not dangerous because they exist. They become dangerous when they are allowed to persist, accumulate privileges, and keep SPNs without the same review discipline applied to human users. Kerberoasting turns that neglect into a measurable exposure: any valid domain user can request a service ticket, and the attacker can work on cracking it offline. That means detection often happens after the ticket has already been harvested, not when the account was created or its password age drifted past policy. NHIMG research shows this is part of a broader non-human identity problem, with 52 NHI Breaches Analysis and the Ultimate Guide to NHIs — Why NHI Security Matters Now both showing how often service accounts and other NHIs are the weak link in real incidents. The operational risk is not just credential theft, but lateral movement into application tiers, data stores, and privileged workflows. In practice, many security teams encounter Kerberoasting only after the crackable ticket has already been collected and the service account has already become an escalation path.How It Works in Practice
Kerberoasting succeeds because Kerberos allows a requester to ask the domain controller for a service ticket tied to an SPN, then attempt offline password cracking against the encrypted blob. That means the attacker does not need direct service access, and the service itself may never show an obvious compromise. A weak or reused service account password, especially one that is long-lived and shared across environments, increases the chance of recovery from offline cracking. This is why current guidance pushes teams toward short-lived secrets, tighter review, and service-account minimisation rather than assuming RBAC alone will contain the risk. NIST’s Zero Trust Architecture guidance supports the broader principle that access should be continuously evaluated, not granted as a durable entitlement. Practitioners usually reduce exposure by combining several controls:- Replace weak passwords with managed, randomised secrets or gMSA where feasible.
- Remove unnecessary SPNs and split high-value services into separate identities.
- Use PAM and JIT processes so privileged service credentials are issued only when needed.
- Rotate secrets on a defined schedule and shorten validity windows wherever the application allows.
- Track where service accounts authenticate, which hosts they reach, and whether the account should even exist.
Common Variations and Edge Cases
Tighter service-account control often increases operational overhead, requiring organisations to balance blast-radius reduction against application fragility and recovery time. That tradeoff is real: some older systems cannot tolerate frequent password rotation, some vendor apps hard-code service credentials, and some environments depend on shared identities to keep batch jobs running. Best practice is evolving here, and there is no universal standard for how often every service account should rotate; the right cadence depends on criticality, recoverability, and whether JIT or gMSA can be used. There are also edge cases where Kerberoasting is not the primary concern. If the service account is backed by a managed platform identity, or the SPN is removed entirely, the attack surface changes materially. Likewise, if an organisation has strong detection for unusual ticket requests, the risk shifts from initial harvesting to post-crack usage. NHIMG’s The 52 NHI breaches Report shows that compromise usually becomes severe when weak lifecycle controls combine with excessive privilege, not when one control fails in isolation. For teams modernising toward Zero Trust, the practical goal is to treat service accounts as workload identities with explicit ownership, visible purpose, and revocation paths, rather than as invisible infrastructure leftovers. Where applications still require static credentials, compensating controls such as isolation, constrained delegation, and aggressive monitoring become essential, but they are second-best options rather than a durable design pattern.Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Service-account rotation and lifecycle control are central to Kerberoasting risk. |
| NIST Zero Trust (SP 800-207) | SP 800-207 | Kerberoasting exposure drops when access is continuously evaluated and tightly scoped. |
| NIST AI RMF | Autonomous or automated workloads need governance around identity, access, and accountability. |
Apply least privilege, continuous verification, and short-lived credentials for every service identity.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on May 29, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
Reviewed and updated by the NHIMG editorial team on May 29, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
