I was working to provide NTLM authentication to a RSS aggregator plugin http://confluence.atlassian.com/display/CONFEXT/RSS+aggregator+macro+plugin , in our implementation the rssaggregator needed to access rss feed from an IIS installed application within an AD intergrated setup, so our http request needed to go through NTLM authentication.
What I found out during this exercise is that if one is on the same AD domain as the server hosting the secure contents then JDK 1.5 and 1.6 does a transparent authentication at the backend, automatically transferring the login details from the http client to the server , however if the request is being made from a client outside the domain then the login details have to be provided using the username and password for the client accessing the protected resource, for that I found the Jave Authenticator class to be the best option, since you do not have to alter your existing code and just call the Authenticator before the http request and populate the authentication credentials in it. Worked really well for me.
Two exhaustive definitions of how ntlm works, and the interactions
Useful link to valid Java Implementation