Why is Kerberos pre-authentication brute-forcing preferred over LDAP brute-forcing for domain user enumeration?

Kerberos pre-authentication brute-forcing does not generate the '4625 - An account failed to log on' event log that LDAP brute-forcing produces, making it stealthier. Additionally, it can enumerate users from outside the domain without needing any valid credentials, whereas LDAP enumeration typically requires authentication. For more details, see Penetration Techniques - User Enumeration and Password Brute-forcing via Kerberos Pre-Authentication.