In 2014, a new type of attack called Kerberoast targets privileged domain user accounts by exploiting the internal mechanisms of the Kerberos authentication protocol. The attacker's goal is to discover the clear-text password of an account, which gives them associated rights.
This attack can occur from inside an Active Directory environment using a simple, unprivileged user account. If a specific Active Directory attribute (the servicePrincipalName) is set on an account, this affects the underlying security of this account. The password of this account can be guessed, and traditional security mechanisms that lock an account after several password failures cannot prevent exhaustive attacks on passwords.
Some very privileged accounts are usually targeted, (e.g. users of the Domain Admins group). Those accounts can lead to a full domain compromise very fast and as such should be protected against this Kerberos configuration threat.
The Kerberoasting Indicator of Attack can alert security personnel if an attacker attempts to exploit this vulnerability. However, it is still necessary to fix the underlying issue to secure very privileged accounts, which can lead to a full domain compromise quickly.
Privileged accounts should not have a Service Principal Name.