diff --git a/Kerberos.NET/Entities/Krb/KrbKdcRep.cs b/Kerberos.NET/Entities/Krb/KrbKdcRep.cs
index 092ed87..508b7d8 100644
--- a/Kerberos.NET/Entities/Krb/KrbKdcRep.cs
+++ b/Kerberos.NET/Entities/Krb/KrbKdcRep.cs
@@ -116,7 +116,11 @@ out MessageType messageType
             if (request.Compatibility.HasFlag(KerberosCompatibilityFlags.NormalizeRealmsUppercase))
             {
                 request.RealmName = request.RealmName?.ToUpperInvariant();
-                request.ClientRealmName = request.ClientRealmName?.ToUpperInvariant() ?? throw new InvalidOperationException("Unknown client realm name");
+
+                if (request.Compatibility.HasFlag(KerberosCompatibilityFlags.IsolateRealmsConsistently))
+                {
+                    request.ClientRealmName = request.ClientRealmName?.ToUpperInvariant() ?? throw new InvalidOperationException("Unknown client realm name");
+                }
             }
 
             authz ??= GenerateAuthorizationData(request);
diff --git a/Tests/Tests.Kerberos.NET/Messages/KrbKdcRepTests.cs b/Tests/Tests.Kerberos.NET/Messages/KrbKdcRepTests.cs
index 9c6d69c..01d7721 100644
--- a/Tests/Tests.Kerberos.NET/Messages/KrbKdcRepTests.cs
+++ b/Tests/Tests.Kerberos.NET/Messages/KrbKdcRepTests.cs
@@ -69,6 +69,42 @@ public void CreateServiceTicket_NullPrincipal()
             });
         }
 
+        [TestMethod]
+        public void CreateServiceTicket_NullClientRealmName()
+        {
+            var key = KrbEncryptionKey.Generate(EncryptionType.AES128_CTS_HMAC_SHA1_96).AsKey();
+
+            // This should not throw, as ClientRealmName is allowed to be null if CompatibilityFlags.IsolateRealmsConsistently is not set
+            var tgsRep = KrbKdcRep.GenerateServiceTicket<KrbTgsRep>(new ServiceTicketRequest
+            {
+                EncryptedPartKey = key,
+                ServicePrincipal = new FakeKerberosPrincipal("blah@blah.com"),
+                ServicePrincipalKey = key,
+                Principal = new FakeKerberosPrincipal("blah@blah2.com"),
+                RealmName = "blah.com",
+                ClientRealmName = null,
+                Compatibility = KerberosCompatibilityFlags.NormalizeRealmsUppercase,
+            });
+        }
+
+        [TestMethod]
+        [ExpectedException(typeof(InvalidOperationException))]
+        public void CreateServiceTicket_NullClientRealmName_IsolateRealmsConsistently()
+        {
+            var key = KrbEncryptionKey.Generate(EncryptionType.AES128_CTS_HMAC_SHA1_96).AsKey();
+
+            var tgsRep = KrbKdcRep.GenerateServiceTicket<KrbTgsRep>(new ServiceTicketRequest
+            {
+                EncryptedPartKey = key,
+                ServicePrincipal = new FakeKerberosPrincipal("blah@blah.com"),
+                ServicePrincipalKey = key,
+                Principal = new FakeKerberosPrincipal("blah@blah2.com"),
+                RealmName = "blah.com",
+                ClientRealmName = null,
+                Compatibility = KerberosCompatibilityFlags.NormalizeRealmsUppercase | KerberosCompatibilityFlags.IsolateRealmsConsistently,
+            });
+        }
+
         [TestMethod]
         public void CreateServiceTicket()
         {