OK, so you'd need to write a server implementation of NTLM authentication in an iRule. This is difficult and probably not really a good idea because of the complexity.
APM does provide this mechanism to validate the creds via NTLM, however with APM we don't have any access to the password because of how NTLM works (it's technically impossible). To get around this, SAML or kerberos is usually used. Like this:
- User authenticates to APM via IE w/NTLM automatic-authentication in Local Intranet.
- User now has APM session with their username (username is grabbed from NTLM, but not the PW)
- APM SSOs the user to some other IIS backend via Kerberos S4U, using the username and a service account