The NTLM is a non-standard mechanism. Do not use it in new applications, and do not expect it to be secure. Currently only the client side is supported.
In the client, this mechanism is always enabled, and it requires the
GSASL_PASSWORD properties. It will set
the ‘domain’ field in the NTLM request to the value of
GSASL_REALM. Some servers reportedly need non-empty but
arbitrary values in that field.