As a pentester kerberosting used to reveal a service password on about 50% of networks on the 2010s when admins were making the passwords. Today our advice to clients on kerberosting is the same as it was back then, use a password manager to generate a 21 character password for all service accounts and disabled RC4 where possible. 52^21 is quite a large key space and even at 10^10 guesses per second over a year your chances are less than 1 in a billion of a successful crack.
Cheap Cloud storage has never returned rainbow tables to viability, right? I stopped checking sometime after I got out of the space.
salting defeats the rainbow table, kerberos uses PBKDF2 that defeats the rainbows
> disabled RC4 where possible
I'm curious. Under what circumstances would it be _not_ possible to disable RC4?
Is this in case there is a Windows 98 machine running somewhere in the network?
In my experience it's always been legacy hardware or industrial automation where it would cost millions to update the equipment / software. Simply limiting the blast radius of those systems and isolating them on the network into their own security zone is always less expensive and thus the perfectly reasonable solution.