In version 11.3, the HTTP monitor supports NTLM authentication. For the username, the domain must be capitalized.
DOMAIN/user
Something that I find odd, is that, according to F5 documentation, it doesn't matter if you use a back slash or a forward slash. I would recommend a forward slash "/" since the back slash is an escape character.
You also can't use "connection close" like in most monitors. I have also found that you need a user agent sting for it to work. So it looks something like this:
GET /owa/ HTTP/1.1\r\nHost: [hostname or IP]\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)\r\nConnection: keep-alive
I have gotten this to work without "connection keep alive" and I don't think it matters what the user agent string is, just as long as it is there.
http://support.f5.com/kb/en-us/solutions/public/13000/800/sol13821.html
http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-ltm-11-1-0.html
If you are not on v11, this should help you out.
https://devcentral.f5.com/wiki/advdesignconfig.SuperHTTPMonitor.ashx