Kerberos pre-authentication requests return different response for valid and invalid users. The tool kerbrute allows you to rapidly identify valid usernames in a target domain.
kerbrute userenum -d contoso.com usernames.txt
An extremely underrated option for username enumeration is to view the address books of network-attached printers. Printers almost never require authentication for this - the address book will give you the naming convention and a handful of target usernames.
Password Brute-Forcing
Kerberos is an extremely fast protocol for password brute forcing - you can use kerbrute again here.
However, I have had a lot of false negatives with this method. I recommend just finding the least visible host (from XDR) and firing off SMB authentication attempts.
ASREP roasting allows you to request password hashes for accounts that don't require Kerberos pre-authentication. You can try to brute-force identify ASREP accounts from a valid user list (see above).
Note that you can Kerberoast non-ASREP accounts from an ASREP account without credentials.
Pre-2000 Computers
Very old Windows machines may be set to use pre-2000's default passwords - the hostname.
You can discover these in a variety of ways, but you'll likely get a STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT error when you've guessed the right password. You can reset the account's password with impacket-changepasswd, but try to use the kpasswd method for best results:
Dynamic DNS Injection
Some domains allow for dynamic DNS updates for compatibility. Hijack server DNS records to intercept authentication, either NTLM/Kerberos or cleartext protocols.