Kerberos authentication is a ticketing system giving users various permissions to access various systems.

Kerberos uses Service Principal Names (SPNs) as account identifiers.

If you can authenticate to Active Directory, you can request a ticket for a given SPN.

Retrieve SPNs with impacket-GetUserSPNs.

Obtaining this ticket, you can then try to crack it using hashcat -m 13100.

Once cracked, go to town, login. Do the things.