Hi,
You are correct.
::> vserver vscan scanner-pool create -vserver svm1 -scanner-pool vijay_pool1 -hostnames xx.xx.xx.xx -privileged-users administrator@naslab.local
Error: command failed: The privileged user name "administrator@naslab.local" is invalid. A valid privileged user name must be in the form "domain-name\user-name".
But i dont think we need to add anywhere in the format user@domain. With domain\user Kerberos works well. kerberos is possible if SPN is present for the host principal.
If i have a packet trace i can say why NTLM is selected over Kerberos.
I would recommend to open a support case to check if the VSCAN LIF's are properly configured with SPN's added for it so that VSCAN can connect to SVM using Kerberos authentication.