Finding Kerberoastable users
It requests a TGS and needs kerberos pre authentication to be disabled. Kerberoasting will not work for COMPUTER$ account as the service ticket is encrypted with the machine account’s password. But if the SPN requested is registered for a user account rather than a computer account, the user’s password is used to encrypt the service ticket.
Get-DomainUser -SPN -Properties distinguishedname,serviceprincipalname [-Domain FOREIGN]
GetUserSPNs.py <domain_name>/<username>:<password> -dc-ip <dc_ip> -request
This will produce a quite huge output and will need manually triage (check for USER accounts)
setspn -T <DOMAIN> -F -Q */*
AS-REP requests a TGT but not a TGS. Kerberos pre authentication does not need to be enable.
Get-DomainUser -PreauthNoRequired -Properties distinguishedname