> I've done kerberoasting and aseproasting a handful of times only, but from what I recall, RC4 can be cracked within reasonable time regardless of your password complexity

That's not quite right. If the password is sufficiently strong, you won't crack it even when RC4 is used. The password space is infinite.

You might be thinking of the LM hash, where you are guaranteed to find the password within minutes, because the password space is limited to 7 character passwords.

> Rotating the KDC/krbtgt credential is also still a nightmare.

I also disagree there. Just change it exactly once every two weeks or so. Just don't do it more than once within 10 hours. See: https://adsecurity.org/?p=4597

What I wonder is why Windows isn't changing it itself every 30 days or so, just like every computer account password.

> why doesn't Microsoft alert directory administrators (and security teams) when someone is dumping tickets for kerberoasting by default?

Good question. Probably because they want you to license some Defender product which does this.