From 986e0f0516038838eadef296eac7ca5285c3f902 Mon Sep 17 00:00:00 2001
From: Carson Anderson <carson.anderson@goteleport.com>
Date: Thu, 19 May 2022 15:21:45 -0600
Subject: [PATCH 1/2] add hostlogin to proxy config for windows

---
 lib/web/desktop.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/web/desktop.go b/lib/web/desktop.go
index e8655a5bba24f..c7fb3b45c0a75 100644
--- a/lib/web/desktop.go
+++ b/lib/web/desktop.go
@@ -193,6 +193,7 @@ func proxyClient(ctx context.Context, sessCtx *SessionContext, addr string) (*cl
 	if err := cfg.ParseProxyHost(addr); err != nil {
 		return nil, trace.Wrap(err)
 	}
+	cfg.HostLogin = sessCtx.user
 	tc, err := client.NewClient(cfg)
 	if err != nil {
 		return nil, trace.Wrap(err)

From 8f29d2a93d0e0ffa5a81096282d43e75b57839e4 Mon Sep 17 00:00:00 2001
From: Zac Bergquist <zac.bergquist@goteleport.com>
Date: Fri, 20 May 2022 09:09:30 +0200
Subject: [PATCH 2/2] Set ProxyClient's HostLogin to the Windows username

Also convert a few TLS handshakes to a context-aware version
for better timeout/cancelation behavior.
---
 lib/auth/middleware.go |  2 +-
 lib/utils/tlsdial.go   |  2 +-
 lib/web/desktop.go     | 13 +++++++++----
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/lib/auth/middleware.go b/lib/auth/middleware.go
index b6b6d27b67821..8d72110c56243 100644
--- a/lib/auth/middleware.go
+++ b/lib/auth/middleware.go
@@ -592,7 +592,7 @@ func (a *Middleware) WrapContextWithUser(ctx context.Context, conn *tls.Conn) (c
 	// Perform the handshake if it hasn't been already. Before the handshake we
 	// won't have client certs available.
 	if !conn.ConnectionState().HandshakeComplete {
-		if err := conn.Handshake(); err != nil {
+		if err := conn.HandshakeContext(ctx); err != nil {
 			return nil, trace.ConvertSystemError(err)
 		}
 	}
diff --git a/lib/utils/tlsdial.go b/lib/utils/tlsdial.go
index fb2d0ad2feaa5..683a6daa8ec2e 100644
--- a/lib/utils/tlsdial.go
+++ b/lib/utils/tlsdial.go
@@ -47,7 +47,7 @@ func TLSDial(ctx context.Context, dial DialWithContextFunc, network, addr string
 	conn := tls.Client(plainConn, tlsConfig)
 	errC := make(chan error, 1)
 	go func() {
-		err := conn.Handshake()
+		err := conn.HandshakeContext(ctx)
 		errC <- err
 	}()
 
diff --git a/lib/web/desktop.go b/lib/web/desktop.go
index c7fb3b45c0a75..ee471a085acdf 100644
--- a/lib/web/desktop.go
+++ b/lib/web/desktop.go
@@ -138,7 +138,7 @@ func (h *Handler) createDesktopConnection(
 		WriteBufferSize: 1024,
 	}
 
-	pc, err := proxyClient(r.Context(), ctx, h.ProxyHostPort())
+	pc, err := proxyClient(r.Context(), ctx, h.ProxyHostPort(), username)
 	if err != nil {
 		return trace.Wrap(err)
 	}
@@ -164,7 +164,7 @@ func (h *Handler) createDesktopConnection(
 	}
 	serviceConnTLS := tls.Client(serviceConn, tlsConfig)
 
-	if err := serviceConnTLS.Handshake(); err != nil {
+	if err := serviceConnTLS.HandshakeContext(r.Context()); err != nil {
 		return trace.NewAggregate(err, sendTDPError(ws, err))
 	}
 	log.Debug("Connected to windows_desktop_service")
@@ -185,15 +185,20 @@ func (h *Handler) createDesktopConnection(
 	return nil
 }
 
-func proxyClient(ctx context.Context, sessCtx *SessionContext, addr string) (*client.ProxyClient, error) {
+func proxyClient(ctx context.Context, sessCtx *SessionContext, addr, windowsUser string) (*client.ProxyClient, error) {
 	cfg, err := makeTeleportClientConfig(ctx, sessCtx)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
+
+	// Set HostLogin to avoid the default behavior of looking up the
+	// Unix user Teleport is running as (which doesn't work in containerized
+	// environments where we're running as an arbitrary UID)
+	cfg.HostLogin = windowsUser
+
 	if err := cfg.ParseProxyHost(addr); err != nil {
 		return nil, trace.Wrap(err)
 	}
-	cfg.HostLogin = sessCtx.user
 	tc, err := client.NewClient(cfg)
 	if err != nil {
 		return nil, trace.Wrap(err)