The best source of info on NTLM is NTLM Authentication Scheme for HTTP document. I have found it when decided to implement APS. But during my experiments with it I found several differences in that I see from the description in it. Possibly it means that NTLM is quite flexible.
NTLM method may be used with HTTP proxies, WWW, SMTP, TELNET servers to authenticate user. APS do NTLM authentication at HTTP proxies and WWW servers. As far as I know fetchmail can do NTLM authentication with IMAP at MS Exchange server.
I have spent some time on telnet's version of NTLM. Here is a transcript of a telnet session between MS telnet server and telnet client from Windows 2000 pro SP2. It appears that the implementation uses unknown for me fields in "message 2" from server and "message 3" from client. In both cases the additional info goes in the end of messages. Possibly it is new version of NTLM, so called NTLMv2.0. Unfortunately I could not find any availabe info on NTLMv2.0.
More to follow...