What conditions must be met for AS-REPRoasting to succeed?

The target domain user must have the 'Do not require Kerberos preauthentication' attribute enabled in Active Directory. This option is not enabled by default, so an attacker often needs prior permissions—such as GenericWrite—to set it via PowerView before exploiting the vulnerability. Once enabled, the attacker can request an AS-REP and extract the hash.