The problem with using AuthenNTLM in this way is that, in the HTTP headers sent back by the server, you have to advertise the authentication methods you support.

If, for example, your server supports basic and NTLM authentication, the first time you connect to a location that requires authentication, you'll get back something like:-

HTTP/1.1 401 Access Denied
Server: **************
Date: Thu, 24 Jul 2003 20:55:04 GMT
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="*******"
Content-Length: 24
Content-Type: text/html

Here, this server is advertising that it supports basic and NTLM authentication. A browser which also supports NTLM authentication will now automatically re-send the request, including the NTLM hash in the request headers to authenticate to the server. The server will verify this hash and, if it accepts it, will allow the client to access the resource.

If, on the other hand, the browser didn't support NTLM authentication but supported basic authentication, it would prompt the user for a username and password (unless cached), and would concatenate them, base-64 encode the result, and sent that back to the server as the "authenticatior".

Unless you can get your Oracle server to send out a "www-Authenticate: NTLM" header, the browsers accessing this system will never know that NTLM authentication is supported. Therefore, your scheme will not work.

Your best bet would be to set Apache up as a proxy, only allow connections to the Oracle server from the Apache server (use the IP address to restrict it, for example), and have Apache manage the authentication for you.