Describe the bug
I am unable to connect to a workspace via RDP using the official Microsoft client. The connection hangs on a black screen displaying "Please wait." Attached container logs suggest an issue with authentication tokens, specifically Failed to parse token claims in call to return_rdp_gateway_session_settings from kasm_api.
Environment
Kasm Version: 1.18.1 (Fresh install)
Host: Proxmox 8.4.1
To Reproduce
Steps to reproduce the behavior:
- Install KASM with default settings in a Proxmox LXC per the installation notes below.
- Create a single workspace for the admin user using the Fedora 41 image from the supplied template.
- Validate the image can be started and connected via the web VNC interface.
- Attempt to connect to the KASM IP directly with the official Microsoft Remote Desktop client (Windows app).
- Observe the Windows Remote desktop client connect but only show a black screen with "Please wait" text in the middle.
Expected behavior
A login screen for the KASM RDP gateway.
Screenshots
Workspaces Version
1.18.1
Workspaces Installation Method
Proxmox helper script (Default installer, no special options)
Client Browser:
Bug appears on both MacOS latest and Windows 11 remote desktop client.
Workspace Server Information:
Linux kasm 6.8.12-10-pve #1 SMP PREEMPT_DYNAMIC PMX 6.8.12-10 (2025-04-18T07:39Z) x86_64 GNU/Linux
PRETTY_NAME="Debian GNU/Linux 13 (trixie)"
NAME="Debian GNU/Linux"
VERSION_ID="13"
VERSION="13 (trixie)"
VERSION_CODENAME=trixie
DEBIAN_VERSION_FULL=13.3
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
Client: Docker Engine - Community
Version: 29.1.5
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.30.1
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v5.0.1
Path: /usr/libexec/docker/cli-plugins/docker-compose
model: Docker Model Runner (Docker Inc.)
Version: v1.0.7
Path: /usr/libexec/docker/cli-plugins/docker-model
Server:
Containers: 8
Running: 8
Paused: 0
Stopped: 0
Images: 17
Server Version: 29.1.5
Storage Driver: overlayfs
driver-type: io.containerd.snapshotter.v1
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan kasmweb/sidecar:amd64-1.4 macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
CDI spec directories:
/etc/cdi
/var/run/cdi
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: dea7da592f5d1d2b7755e3a161be07f43fad8f75
runc version: v1.3.4-0-gd6d73eb8
init version: de40ad0
Security Options:
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.8.12-10-pve
Operating System: Debian GNU/Linux 13 (trixie)
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 16GiB
Name: kasm
ID: 290441b4-5c2e-4310-b346-ffdcb8773789
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
::1/128
127.0.0.0/8
Live Restore Enabled: false
Firewall Backend: iptables
sudo docker ps | grep kasm
root@kasm:~# docker ps | grep kasm
191cd2aa5060 kasmweb/proxy:1.18.1 "/docker-entrypoint.…" 13 hours ago Up 13 hours 80/tcp, 0.0.0.0:443->443/tcp, [::]:443->443/tcp kasm_proxy
080192a8c52a kasmweb/rdp-https-gateway:1.18.1 "/opt/rdpgw/rdpgw" 13 hours ago Up 13 hours (healthy) kasm_rdp_https_gateway
66fee29440b2 kasmweb/agent:1.18.1 "python3 /src/Provis…" 13 hours ago Up 13 hours (healthy) 4444/tcp kasm_agent
f96e86caa64d kasmweb/rdp-gateway:1.18.1 "/start.sh" 13 hours ago Up 13 hours (healthy) 0.0.0.0:3389->3389/tcp, [::]:3389->3389/tcp kasm_rdp_gateway
f6a5cdff1e38 kasmweb/api:1.18.1 "/bin/sh -c /usr/bin…" 13 hours ago Up 13 hours (healthy) 8080/tcp kasm_api
e84368f17f05 kasmweb/manager:1.18.1 "python3 /src/api_se…" 13 hours ago Up 13 hours (healthy) 8181/tcp kasm_manager
fba10c156321 kasmweb/kasm-guac:1.18.1 "/dockerentrypoint.sh" 13 hours ago Up 13 hours (healthy) kasm_guac
6ca8fd0608b8 kasmweb/postgres:1.18.1 "docker-entrypoint.s…" 13 hours ago Up 13 hours (healthy) 5432/tcp kasm_db
sudo docker logs kasm_rdp_gateway
2026-01-22 16:08:24,096 [DEBUG] __main__.handler: Active Sessions: {'unset-d26b246f-6c32-4f48-9b1e-d13255779d84': {'future': <Future at 0x7c45cb0c5eb0 state=finished raised Exception>, 'event': <threading.Event at 0x7c45cac78a10: unset>}, 'unset-4e3b32c3-727f-4e3b-88c4-1c5e21d6fe91': {'future': <Future at 0x7c45cac71b20 state=finished raised Exception>, 'event': <threading.Event at 0x7c45cbe871a0: unset>}}
Jan 22 16:08:44 [rdpproxy] psid="1960377115908" type="INCOMING_CONNECTION" src_ip="10.10.0.166" src_port="10770"
Jan 22 16:08:44 INFO (15908/15908) -- Redemption 12.0.11
Jan 22 16:08:44 INFO (15908/15908) -- src=10.10.0.166 sport=10770 dst=172.18.0.6 dport=3389
Jan 22 16:08:44 INFO (15908/15908) -- New session on 5 (pid=15908) from 10.10.0.166 to 172.18.0.6
Jan 22 16:08:44 INFO (15908/15908) -- CR Recv: PROTOCOL TLS
Jan 22 16:08:44 INFO (15908/15908) -- CR Recv: PROTOCOL HYBRID
Jan 22 16:08:44 INFO (15908/15908) -- CR Recv: PROTOCOL HYBRID EX
Jan 22 16:08:44 INFO (15908/15908) -- -----------------> Front::incoming: TLS Support Enabled nla=false
Jan 22 16:08:44 INFO (15908/15908) -- Enable TLS
Jan 22 16:08:44 INFO (15908/15908) -- CC Send: PROTOCOL TLS
Jan 22 16:08:44 INFO (15908/15908) -- SocketTransport::enable_server_tls() start (RDP Client)
Jan 22 16:08:44 INFO (15908/15908) -- Enable server TLS
Jan 22 16:08:44 INFO (15908/15908) -- TLSContext::enable_server_tls() set SSL options
Jan 22 16:08:44 INFO (15908/15908) -- TLSContext::X509_get_pubkey()
Jan 22 16:08:44 INFO (15908/15908) -- TLSContext::i2d_PublicKey()
Jan 22 16:08:44 INFO (15908/15908) -- Incoming connection to Bastion using TLS version TLSv1.3
Jan 22 16:08:44 INFO (15908/15908) -- TLSContext::Negociated cipher used TLS_AES_256_GCM_SHA384
Jan 22 16:08:44 INFO (15908/15908) -- SocketTransport::enable_server_tls() done (RDP Client)
Jan 22 16:08:44 INFO (15908/15908) -- partial_recv_tls error:00000005:lib(0)::reason(5)
Jan 22 16:08:44 ERR (15908/15908) -- SocketTransport::do_partial_read: Failed to read from socket RDP Client!
Jan 22 16:08:44 INFO (15908/15908) -- Socket RDP Client (5) : closing connection
Jan 22 16:08:46 [rdpproxy] psid="1960377315909" type="INCOMING_CONNECTION" src_ip="10.10.0.166" src_port="10771"
Jan 22 16:08:46 INFO (15909/15909) -- Redemption 12.0.11
Jan 22 16:08:46 INFO (15909/15909) -- src=10.10.0.166 sport=10771 dst=172.18.0.6 dport=3389
Jan 22 16:08:46 INFO (15909/15909) -- New session on 5 (pid=15909) from 10.10.0.166 to 172.18.0.6
Jan 22 16:08:46 INFO (15909/15909) -- CR Recv: PROTOCOL TLS
Jan 22 16:08:46 INFO (15909/15909) -- CR Recv: PROTOCOL HYBRID
Jan 22 16:08:46 INFO (15909/15909) -- CR Recv: PROTOCOL HYBRID EX
Jan 22 16:08:46 INFO (15909/15909) -- -----------------> Front::incoming: TLS Support Enabled nla=false
Jan 22 16:08:46 INFO (15909/15909) -- Enable TLS
Jan 22 16:08:46 INFO (15909/15909) -- CC Send: PROTOCOL TLS
Jan 22 16:08:46 INFO (15909/15909) -- SocketTransport::enable_server_tls() start (RDP Client)
Jan 22 16:08:46 INFO (15909/15909) -- Enable server TLS
Jan 22 16:08:46 INFO (15909/15909) -- TLSContext::enable_server_tls() set SSL options
Jan 22 16:08:46 INFO (15909/15909) -- TLSContext::X509_get_pubkey()
Jan 22 16:08:46 INFO (15909/15909) -- TLSContext::i2d_PublicKey()
Jan 22 16:08:46 INFO (15909/15909) -- Incoming connection to Bastion using TLS version TLSv1.3
Jan 22 16:08:46 INFO (15909/15909) -- TLSContext::Negociated cipher used TLS_AES_256_GCM_SHA384
Jan 22 16:08:46 INFO (15909/15909) -- SocketTransport::enable_server_tls() done (RDP Client)
Jan 22 16:08:46 INFO (15909/15909) -- GCC::UserData tag=c001 length=234
Jan 22 16:08:46 INFO (15909/15909) -- Client Color Depth is 32
Jan 22 16:08:46 INFO (15909/15909) -- GCC::UserData tag=c004 length=12
Jan 22 16:08:46 INFO (15909/15909) -- GCC::UserData tag=c002 length=12
Jan 22 16:08:46 INFO (15909/15909) -- GCC::UserData tag=c003 length=56
Jan 22 16:08:46 INFO (15909/15909) -- GCC::UserData tag=c006 length=8
Jan 22 16:08:46 INFO (15909/15909) -- GCC::UserData tag=c00a length=8
Jan 22 16:08:46 INFO (15909/15909) -- Front::incoming: Secure Settings Exchange
Jan 22 16:08:46 INFO (15909/15909) -- RDP-5 Style logon
Jan 22 16:08:46 INFO (15909/15909) -- Front::incoming: ACTIVATED (new license request)
...
Jan 22 16:08:46 INFO (15909/15909) -- 0030 04 .
Jan 22 16:08:46 INFO (15909/15909) -- connecting to /tmp/redemption-sesman-sock
Jan 22 16:08:46 INFO (15909/15909) -- connection to /tmp/redemption-sesman-sock succeeded : socket 4
Jan 22 16:08:46 INFO (15909/15909) -- Session: Keyboard Layout = 0xa0000409
2026-01-22 16:08:46,608 [DEBUG] __main__.handler: Entering passthrough start function
2026-01-22 16:08:46,609 [DEBUG] __main__.handler: Request connection settings from Kasm
2026-01-22 16:08:46,610 [INFO] __main__.handler: Current list of API servers (['proxy', 'kasm'])
Jan 22 16:08:46 INFO (15909/15909) -- New Module: MODULE_TRANSITORY
Jan 22 16:08:46 INFO (15909/15909) -- i18n context is set for "en" locale
2026-01-22 16:08:46,632 [DEBUG] __main__.handler: Health check return: {'ok': True}
2026-01-22 16:08:46,656 [ERROR] __main__.handler: Error from Kasm server for api: https://proxy:443/api/return_rdp_gateway_session_settings status: 403 error: No response
2026-01-22 16:08:46,656 [DEBUG] __main__.handler: Received response from Kasm: <Response [403]>
2026-01-22 16:08:46,657 [ERROR] __main__.handler: Invalid response from Kasm cannot continue.
2026-01-22 16:08:51,798 [INFO] __main__.handler: Checking if any kasm sessions are deleted
2026-01-22 16:08:51,798 [DEBUG] __main__.handler: No active Kasms, skipping deleted Kasm check.
2026-01-22 16:08:46,630 [DEBUG] client_api_server: Unauthenticated user made authorized API call to (healthcheck) from IP address (172.18.0.6).
2026-01-22 16:08:46,631 [INFO] cherrypy.access.136846673761280: 172.18.0.9 - - [22/Jan/2026:16:08:46] "POST /api/__healthcheck HTTP/1.1" 200 12 "" "python-requests/2.32.5"
2026-01-22 16:08:46,654 [ERROR] client_api_server: Failed to parse token claims in call to return_rdp_gateway_session_settings
Not enough segments
2026-01-22 16:08:46,654 [INFO] cherrypy.access.136846673761280: 172.18.0.9 - - [22/Jan/2026:16:08:46] "POST /api/return_rdp_gateway_session_settings HTTP/1.1" 403 35 "" "python-requests/2.32.5"
2026-01-22 16:08:51,611 [DEBUG] client_api_server: Unauthenticated user made authorized API call to (healthcheck) from IP address (127.0.0.1).
2026-01-22 16:08:51,612 [INFO] cherrypy.access.136846673761280: 127.0.0.1 - - [22/Jan/2026:16:08:51] "GET /api/__healthcheck HTTP/1.1" 200 12 "" "curl/7.88.1"
2
NETWORK ID NAME DRIVER SCOPE
825b738cb65f bridge bridge local
a859febb7687 host host local
1f70b34cd1a0 kasm_default_network bridge local
2f964439a376 kasm_sidecar_network kasmweb/sidecar:amd64-1.4 local
13fa6c5dd4f0 none null local
docker network inspect kasm_default_network
[
{
"Name": "kasm_default_network",
"Id": "1f70b34cd1a07f7a8093a83225554b194a4f556c9c0d14b9ca1626c9e9fc251f",
"Created": "2026-01-18T17:02:49.89160055-08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv4": true,
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "172.18.0.0/16",
"IPRange": "",
"Gateway": "172.18.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Options": {},
"Labels": {},
"Containers": {
"080192a8c52a4f54e92ad715490d101f0db07942da8ef4d8cc8c19695ff99e0e": {
"Name": "kasm_rdp_https_gateway",
"EndpointID": "66b6d442a5e1927592e6eb38702f44189d9abb413d22dd02fae11d573dab77f9",
"MacAddress": "02:0f:17:9f:c8:f4",
"IPv4Address": "172.18.0.8/16",
"IPv6Address": ""
},
"191cd2aa5060e87b03ca4823dd0b8f5465b8377a6975b14ae1c648188109aca3": {
"Name": "kasm_proxy",
"EndpointID": "5f06f213c9b60cb0bb7f40dc46afda8ad4ee4c3dd0d979122cec1fdda84a1cd2",
"MacAddress": "ca:4f:89:4d:10:1e",
"IPv4Address": "172.18.0.9/16",
"IPv6Address": ""
},
"66fee29440b2da4d9ec607ebd78fca7bada35f6b7c973ffb2dfc638612bb6380": {
"Name": "kasm_agent",
"EndpointID": "b5f591870dff94821bd919c3351687a7a682ec694d698b4d94809c993cdab906",
"MacAddress": "96:08:3c:26:04:46",
"IPv4Address": "172.18.0.7/16",
"IPv6Address": ""
},
"6ca8fd0608b8cac406a80915216faa3b96eeaf173b30e18538cf1076cf51d730": {
"Name": "kasm_db",
"EndpointID": "0a842d4fc255ee42051a6f4864f3ddd583d70a03083813fe555d4ef195cb3da5",
"MacAddress": "ae:3e:ea:91:70:9e",
"IPv4Address": "172.18.0.2/16",
"IPv6Address": ""
},
"e84368f17f05d41a9a3cde555ad5b0323e218f2feea07d169a0a984acf87463f": {
"Name": "kasm_manager",
"EndpointID": "1e61166dfc5fbb45874892226a67ef38e21dc69609e7730e1c2b0058ec267e60",
"MacAddress": "8e:9b:07:e2:dc:6b",
"IPv4Address": "172.18.0.4/16",
"IPv6Address": ""
},
"f6a5cdff1e383360e6bd47a32c124202c30c15db79b78e95cb9270155b7da5a2": {
"Name": "kasm_api",
"EndpointID": "ae2876bf549d5c841a712fd102f80aefdeffb06f542f9fe19da551aab84efc84",
"MacAddress": "ee:bc:b5:a8:db:20",
"IPv4Address": "172.18.0.5/16",
"IPv6Address": ""
},
"f96e86caa64de2e2795ea4abc48659cc7865429057f79e03b2eec6989ff3a176": {
"Name": "kasm_rdp_gateway",
"EndpointID": "b7282e977d9ab438c9a82ae57ff8cc9dbb88fa06abe34f4a0eabbf54d8db4459",
"MacAddress": "ca:8f:db:2a:86:94",
"IPv4Address": "172.18.0.6/16",
"IPv6Address": ""
},
"fba10c1563216f4f7e2b2d4b736814c38c9c05d02954909b0330324caa9feb5c": {
"Name": "kasm_guac",
"EndpointID": "2296301524edceac4a2be46a87a00a182de2934760cb40da4bbf8fd02a2b7f54",
"MacAddress": "b6:53:b1:4c:de:3c",
"IPv4Address": "172.18.0.3/16",
"IPv6Address": ""
}
},
"Status": {
"IPAM": {
"Subnets": {
"172.18.0.0/16": {
"IPsInUse": 11,
"DynamicIPsAvailable": 65525
}
}
}
}
}
]
Additional context
I tried lots of different settings in my troubleshooting process for the zone, to no avail. Below is a screenshot of the current settings. I'm using Caddy in front of the main web UI with a DNS entry that resolves to a private IP, but since the RDP client is attempting to connect to port 3389 on the Kasm host directly, I wouldn't think that is part of the problem.
Describe the bug
I am unable to connect to a workspace via RDP using the official Microsoft client. The connection hangs on a black screen displaying "Please wait." Attached container logs suggest an issue with authentication tokens, specifically
Failed to parse token claims in call to return_rdp_gateway_session_settingsfrom kasm_api.Environment
To Reproduce
Steps to reproduce the behavior:
Expected behavior
A login screen for the KASM RDP gateway.
Screenshots
Workspaces Version
1.18.1
Workspaces Installation Method
Proxmox helper script (Default installer, no special options)
Client Browser:
Bug appears on both MacOS latest and Windows 11 remote desktop client.
Workspace Server Information:
uname -aLinux kasm 6.8.12-10-pve #1 SMP PREEMPT_DYNAMIC PMX 6.8.12-10 (2025-04-18T07:39Z) x86_64 GNU/Linuxcat /etc/os-releasesudo docker infosudo docker ps | grep kasmsudo docker logs kasm_rdp_gatewaydocker logs kasm_apidocker network lsdocker network inspect kasm_default_networkAdditional context
I tried lots of different settings in my troubleshooting process for the zone, to no avail. Below is a screenshot of the current settings. I'm using Caddy in front of the main web UI with a DNS entry that resolves to a private IP, but since the RDP client is attempting to connect to port 3389 on the Kasm host directly, I wouldn't think that is part of the problem.