Basic Auth to NTLM conversion proxy

There is no purely Apache-based solution in existence. Your options (I know of and tried myself) are:

• Caddy — free, albeit need to custom build, which is possible using their web interface, a service that can co-exist with anything, and
• Kerio Control ­— paid, easier to set up, requires a small dedicated virtual machine.

There is also Nginx Plus which claims the support, but I didn't tried it.

You can put your new reverse proxy in front of that Apache. Not "Apache serves something and proxies something" but a-la "Caddy proxies everything, distributing between different back ends". That would result in a better overall architecture with clearly defined roles and weak service inter-dependence: a proxy server does only proxying, while web server does only serving, and each part can be replaced or managed independently (e.g. by different teams of admins, etc.).

If you choose to go with Caddy, first you need to move Apache to some ports other than 80/443. There will listen Caddy, which must not only reverse proxy your NTLM stuff, but also the stuff Apache is serving. As a bonus point, you may use Caddy's automatic SSL features (it has e.g. built-in ACME client, to interact with Let's Encrypt and Zero SSL), strip SSL and only use one non-default port for Apache's HTTP.

Or, you can move all the load onto Caddy altogether, getting rid of Apache. But I wouldn't do that.

Alternatively, you can run a dedicated small VM (or container) with just Caddy and expose it to outside; this is the solution I ended up with in the past when I was solving exactly same problem (the reverse proxy for OWA and some other web site, using only a single public IP address). This also would be the only possible solution if you choose Kerio.