OK. I have dug in further and the event 4769 is generated by active directory ONLY in the Advanced Security Audit Account login options and you choose to Audit Kerberos Service Tickets. This is not on by default!!! Audit Kerberos Service Ticket Operations
There's no information from SW other than "4769 should be generated to correspond with 4768 within 20 seconds" blah blah blah. But no, no it should not because AD does not have this option on by default. I fail to see the purpose of 4769 when 4768 generates a login success and location/IP. We have AD Audit from ManageEngine and it pulls just fine on 4768. It is really frustrating having to dig into something that isn't properly documented too. Please fix your Adminstrator's guide to actually detail the requirements, rather than "it should get 4769" when it isn't a default turned on feature of AD. For me to turn this on my domain controllers now is going to be a major headache not to mention a massive increase in events.
I apologize for the incovenience with the admin guide and will request the update. Thanks for letting us know.
Latest Admin guide does not include details about Audit Kerberos Authentication Service and Audit Kerberos Service Ticket Operations policies.
Will you please followup with doc rep?
Default Domain Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Logon