}
        case 3, 4, 5 -> {
            // NTLMv2 - returns empty for unicode hash as NTLMv2 doesn't use it
            yield new byte[0];
        }
        default -> {
            // Default to NTLMv2 behavior (empty response)
            log.info("Defaulting to secure NTLMv2 authentication (no unicode hash)");
            yield new byte[0];
        }
        };
    }

    /**

import jcifs.ntlmssp.Type2Message;
import jcifs.ntlmssp.Type3Message;
import jcifs.util.Crypto;
import jcifs.util.Hexdump;

/**
 * For initiating NTLM authentication (including NTLMv2). If you want to add NTLMv2 authentication support to something
 * this is what you want to use. See the code for details. Note that JCIFS does not implement the acceptor side of NTLM
 * authentication.
 *
 */

        lenient().when(mockConfig.getOemEncoding()).thenReturn("UTF-8");
        lenient().when(mockConfig.getRandom()).thenReturn(mockRandom);
        lenient().when(mockConfig.getLanManCompatibility()).thenReturn(3); // Default NTLMv2
        lenient().when(mockConfig.getMachineId()).thenReturn(machineId);
        lenient().when(mockCtx.getConfig()).thenReturn(mockConfig);
        lenient().when(mockCtx.getNameServiceClient()).thenReturn(mockNameServiceClient);

        assertTrue("Minimum version should be at least SMB2.0.2", config.getMinimumVersion().atLeast(DialectVersion.SMB202));

        // Verify LM compatibility level is 3 or higher (NTLMv2 only)
        assertTrue("LM compatibility should be 3 or higher for NTLMv2 only", config.getLanManCompatibility() >= 3);
        assertEquals("LM compatibility should default to 3", 3, config.getLanManCompatibility());

    * Indicates that the NTLM2 signing and sealing scheme should be used
    * for protecting authenticated communications.  This refers to a
    * particular session security scheme, and is not related to the use
    * of NTLMv2 authentication.
    */
    int NTLMSSP_NEGOTIATE_NTLM2 = 0x00080000;

    /**
     * Requests an initial response token.
     */
    int NTLMSSP_REQUEST_INIT_RESPONSE = 0x00100000;

    /**

    }

    /**
     * Returns the NT/NTLMv2 response.
     *
     * @return A <code>byte[]</code> containing the NT/NTLMv2 response.
     */
    public byte[] getNTResponse() {
        return ntResponse;
    }

    /**
     * Sets the NT/NTLMv2 response for this message.
     *
     * @param ntResponse The NT/NTLMv2 response.
     */

     *         The target information block is used by the client to create an
     *         NTLMv2 response.
     */
    public byte[] getTargetInformation() {
        return this.targetInformation;
    }

    /**
     * Sets the target information block.
     * The target information block is used by the client to create
     * an NTLMv2 response.
     *
     * @param targetInformation

    }

    /**
     * Returns the NT/NTLMv2 response.
     *
     * @return A <code>byte[]</code> containing the NT/NTLMv2 response.
     */
    public byte[] getNTResponse() {
        return this.ntResponse;
    }

    /**
     * Sets the NT/NTLMv2 response for this message.
     *
     * @param ntResponse
     *            The NT/NTLMv2 response.
     */

     * Indicates that the NTLM2 signing and sealing scheme should be used
     * for protecting authenticated communications. This refers to a
     * particular session security scheme, and is not related to the use
     * of NTLMv2 authentication.
     */
    int NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY = 0x00080000;

    /**
     * ?? According to spec this is a reserved bit and must be set to zero
     */

        byte[] viaPassword = NtlmUtil.nTOWFv2(domain, user, password);

        // Assert: overloads consistent
        assertArrayEquals(viaHash, viaPassword, "Both overloads must compute same NTLMv2 key");

        // Changing domain should change the key (domain is part of MAC input)
        byte[] differentDomain = NtlmUtil.nTOWFv2("DOMAIN", user, password);