Kerberoasting works because every service account in Active Directory has a Service Principal Name, and any authenticated user can request a service ticket for any SPN.
That sentence has been true since 2014. It is still true. It will be true at the end of this decade.
bash
the entire attack
impacket-GetUserSPNs -request \-dc-ip 10.10.10.10 \domain.local/lowpriv:Password1