Understanding F5 APM and NTLM Auth

First, let's separate client side authentication from server side. These are two separate processes that are not necessarily intertwined. NTLM is a challenge/response protocol. The server sends a 401 message indicating it wants the client to present credentials, and in the NTLM process, the client sends back (more or less) a hash of its password to the server to prove that it knows the password. That's pretty straight forward on the server side (SSO) because APM (the client in this case) has the password and just has to generate this hash. But on the client side, APM is the server. It'll send the 401 to request authentication, and the client will summarily send the hash, but without the NTLM account/config stuff, it has no way to verify the hash.