Why are Service Principal Names (SPNs) critical to a Kerberoasting attack?

SPNs uniquely identify services running on servers and are stored in Active Directory. An attacker first queries SPNs—particularly those registered under domain user accounts (Users) rather than machine accounts—because only user account passwords are valuable for lateral movement. The attacker then requests TGS tickets for services with high-privilege user SPNs, making SPN enumeration the first step in Domain Penetration - Kerberoasting.