diff --git a/lib/auth/middleware.go b/lib/auth/middleware.go
index b6b6d27b67821..8d72110c56243 100644
--- a/lib/auth/middleware.go
+++ b/lib/auth/middleware.go
@@ -592,7 +592,7 @@ func (a *Middleware) WrapContextWithUser(ctx context.Context, conn *tls.Conn) (c
 	// Perform the handshake if it hasn't been already. Before the handshake we
 	// won't have client certs available.
 	if !conn.ConnectionState().HandshakeComplete {
-		if err := conn.Handshake(); err != nil {
+		if err := conn.HandshakeContext(ctx); err != nil {
 			return nil, trace.ConvertSystemError(err)
 		}
 	}
diff --git a/lib/utils/tlsdial.go b/lib/utils/tlsdial.go
index fb2d0ad2feaa5..683a6daa8ec2e 100644
--- a/lib/utils/tlsdial.go
+++ b/lib/utils/tlsdial.go
@@ -47,7 +47,7 @@ func TLSDial(ctx context.Context, dial DialWithContextFunc, network, addr string
 	conn := tls.Client(plainConn, tlsConfig)
 	errC := make(chan error, 1)
 	go func() {
-		err := conn.Handshake()
+		err := conn.HandshakeContext(ctx)
 		errC <- err
 	}()
 
diff --git a/lib/web/desktop.go b/lib/web/desktop.go
index e8655a5bba24f..ee471a085acdf 100644
--- a/lib/web/desktop.go
+++ b/lib/web/desktop.go
@@ -138,7 +138,7 @@ func (h *Handler) createDesktopConnection(
 		WriteBufferSize: 1024,
 	}
 
-	pc, err := proxyClient(r.Context(), ctx, h.ProxyHostPort())
+	pc, err := proxyClient(r.Context(), ctx, h.ProxyHostPort(), username)
 	if err != nil {
 		return trace.Wrap(err)
 	}
@@ -164,7 +164,7 @@ func (h *Handler) createDesktopConnection(
 	}
 	serviceConnTLS := tls.Client(serviceConn, tlsConfig)
 
-	if err := serviceConnTLS.Handshake(); err != nil {
+	if err := serviceConnTLS.HandshakeContext(r.Context()); err != nil {
 		return trace.NewAggregate(err, sendTDPError(ws, err))
 	}
 	log.Debug("Connected to windows_desktop_service")
@@ -185,11 +185,17 @@ func (h *Handler) createDesktopConnection(
 	return nil
 }
 
-func proxyClient(ctx context.Context, sessCtx *SessionContext, addr string) (*client.ProxyClient, error) {
+func proxyClient(ctx context.Context, sessCtx *SessionContext, addr, windowsUser string) (*client.ProxyClient, error) {
 	cfg, err := makeTeleportClientConfig(ctx, sessCtx)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
+
+	// Set HostLogin to avoid the default behavior of looking up the
+	// Unix user Teleport is running as (which doesn't work in containerized
+	// environments where we're running as an arbitrary UID)
+	cfg.HostLogin = windowsUser
+
 	if err := cfg.ParseProxyHost(addr); err != nil {
 		return nil, trace.Wrap(err)
 	}