Microsoft
MicrosoftIhor43 You can have a 4625 after a successful authentication. We actually need to authenticate the user before evaluating the logon type privilege. So you type your U/P (username/password) to open your session, you get a TGT because you typed the correct U/P, get a service ticket for HOST/<the system you are logging into> which is also successful because your TGT is valid (assuming you don't have Kerberos Authentication Policies interfering here). But then when the system read that ticket and evaluate the privilege, it comes to the conclusion that based on your identity and your group membership, you don’t have the right level of privilege. Also note that in that case the 4625 is a local event on the system you are trying to access whereas the 4768 and 4769 will be only on the domain controller serving the requests.
Similar things would happen if you try to access a file share on which you have a deny ACE. You would successfully obtain a ticket for a file server, present it to the file server, even get a 4624 on the file server (because this time there’s no issue with system privilege, assuming you have the privilege "Access this computer from the network") BUT then get an access denied message on file access (which by the way you can configure the text of using the Access Denied Assistance feature).