goauthentik
RDP Connection drops during inactivity
Describe the bug
I'm experiencing an issue where RDP connections to a Windows Server 2025 via authentik are dropped and reconnected when there is no activity in the RDP window (no visual updates, mouse movements, or keyboard input). However, the RDP session remains stable if there is even minimal activity (for example, having the Task Manager window open).
With debug logging enabled for the RAC Outpost, the following logs appear at the moment of disconnection and reconnection:
{"event":"guacd[44]: DEBUG:\tpduType PDU_TYPE_DATA not properly parsed, 562 bytes remaining unhandled. Skipping.","level":"info","logger":"authentik.outpost.rac.guacd","timestamp":"2025-12-08T06:30:34Z"}
{"connection":"asgi.specific.07db277a086b4b20838f0d35ad08767f","error":null,"event":"removing connection","level":"info","timestamp":"2025-12-08T06:31:21Z"}
{"event":"guacd[44]: INFO:\tUser \"@e7bed609-33cd-4cc8-8842-7492668091b5\" disconnected (0 users remain)","level":"info","logger":"authentik.outpost.rac.guacd","timestamp":"2025-12-08T06:31:21Z"}
{"event":"guacd[44]: INFO:\tLast user of connection \"$dad0c258-6c30-4a6f-a5ca-e57568ed8af8\" disconnected","level":"info","logger":"authentik.outpost.rac.guacd","timestamp":"2025-12-08T06:31:21Z"}
{"event":"guacd[44]: DEBUG:\tRequesting termination of client...","level":"info","logger":"authentik.outpost.rac.guacd","timestamp":"2025-12-08T06:31:21Z"}
{"event":"guacd[44]: DEBUG:\tCLIPRDR (clipboard redirection) channel disconnected.","level":"info","logger":"authentik.outpost.rac.guacd","timestamp":"2025-12-08T06:31:22Z"}
{"event":"guacd[44]: DEBUG:\tRDPGFX channel support unloaded.","level":"info","logger":"authentik.outpost.rac.guacd","timestamp":"2025-12-08T06:31:22Z"}
{"event":"guacd[44]: DEBUG:\tDisplay update channel disconnected.","level":"info","logger":"authentik.outpost.rac.guacd","timestamp":"2025-12-08T06:31:22Z"}
{"event":"guacd[44]: DEBUG:\tSVC \"rdpdr\" disconnected.","level":"info","logger":"authentik.outpost.rac.guacd","timestamp":"2025-12-08T06:31:22Z"}
{"event":"guacd[44]: DEBUG:\tSVC \"rdpsnd\" disconnected.","level":"info","logger":"authentik.outpost.rac.guacd","timestamp":"2025-12-08T06:31:22Z"}
{"event":"guacd[44]: INFO:\tInternal RDP client disconnected","level":"info","logger":"authentik.outpost.rac.guacd","timestamp":"2025-12-08T06:31:22Z"}
{"event":"guacd[44]: DEBUG:\tClient terminated successfully.","level":"info","logger":"authentik.outpost.rac.guacd","timestamp":"2025-12-08T06:31:22Z"}
{"event":"guacd[17]: INFO:\tConnection \"$dad0c258-6c30-4a6f-a5ca-e57568ed8af8\" removed.","level":"info","logger":"authentik.outpost.rac.guacd","timestamp":"2025-12-08T06:31:22Z"}
{"event":"guacd[17]: DEBUG:\tUnable to request termination of client process: No such process ","level":"info","logger":"authentik.outpost.rac.guacd","timestamp":"2025-12-08T06:31:22Z"}
{"event":"guacd[17]: DEBUG:\tAll child processes for connection \"$dad0c258-6c30-4a6f-a5ca-e57568ed8af8\" have been terminated.","level":"info","logger":"authentik.outpost.rac.guacd","timestamp":"2025-12-08T06:31:22Z"}
{"event":"guacd[17]: INFO:\tCreating new client for protocol \"rdp\"","level":"info","logger":"authentik.outpost.rac.guacd","timestamp":"2025-12-08T06:31:22Z"}
{"event":"guacd[17]: INFO:\tConnection ID is \"$7928712a-302f-4467-9c82-da081f52e2d1\"","level":"info","logger":"authentik.outpost.rac.guacd","timestamp":"2025-12-08T06:31:22Z"}
For testing purposes, I configured a direct connection to authentik without using any reverse proxies: Authentik URL: https://internal.ip:9443/
My Outpost is also configured to connect via the internal IP:
log_level: debug
docker_labels: null
authentik_host: https://internal.ip:9443/
docker_network: null
container_image: null
docker_map_ports: true
refresh_interval: minutes=5
kubernetes_replicas: 1
kubernetes_namespace: default
authentik_host_browser: ""
object_naming_template: ak-outpost-%(name)s
authentik_host_insecure: true
kubernetes_json_patches: null
kubernetes_service_type: ClusterIP
kubernetes_ingress_path_type: null
kubernetes_image_pull_secrets: []
kubernetes_ingress_class_name: null
kubernetes_disabled_components: []
kubernetes_ingress_annotations: {}
kubernetes_ingress_secret_name: authentik-outpost-tls
kubernetes_httproute_annotations: {}
kubernetes_httproute_parent_refs: []
How to reproduce
- Set up the RDP RAC Provider according to the documentation - https://docs.goauthentik.io/add-secure-apps/providers/rac/how-to-rac/
- Connect to RDP using the created Application.
- Leave the RDP session in a static state (do not move the mouse, minimize windows that cause screen updates) for 30-60 seconds.
- The RDP window will reload several times. In my case, after 3-4 reloads, the session hangs and can only be resolved by refreshing the browser window.
Expected behavior
The RDP window should not reload due to inactivity. The RDP session should remain stable and connected even without user input or visual updates from the RDP window.
Screenshots
No response
Additional context
No response
Deployment Method
Docker
Version
2025.10.2
Relevant log output
The most likely explanation is that a timeout is being triggered on your reverse proxy setup. On nginx the relevant settings would be the proxy_read_timeout and proxy_send_timeout, or potentially keepalive_timeout or send_timeout. You can test this behavior by connecting without the proxy being involved. Or investigate the logs of your reverse proxy setup.
Guacamole (which authentik utilizes for RAC) has an api-session-timeout setting but this defaults to 60 minutes and so shouldn't be relevant.
The most likely explanation is that a timeout is being triggered on your reverse proxy setup. On nginx the relevant settings would be the
proxy_read_timeoutandproxy_send_timeout, or potentiallykeepalive_timeoutorsend_timeout. You can test this behavior by connecting without the proxy being involved. Or investigate the logs of your reverse proxy setup.Guacamole (which authentik utilizes for RAC) has an
api-session-timeoutsetting but this defaults to 60 minutes and so shouldn't be relevant.
My initial suspicions were also related to the reverse proxy. In my case, I am using HAProxy. After no changes made to HAProxy yielded positive results, I decided to test a direct connection using the internal IP, which I am describing in this issue. The issue persists even without using a reverse proxy.
Can you replicate the same behavior with a direct RDP connection to the RDP server? Not using authentik at all? Maybe a inactivity timeout on the server itself?
Can you replicate the same behavior with a direct RDP connection to the RDP server? Not using authentik at all? Maybe a inactivity timeout on the server itself?
All services — authentik, outpost, and RDP — are deployed on virtual machines within the same local network. For testing, I added another Windows Server 2025 RDP server. When connecting through authentik, the disconnection due to inactivity also occurs.
When using a native RDP client, no such issues are noted when connecting directly to the Windows Server.
I decided to test SSH connections via authentik. Everything works well, with no disconnections due to inactive.
You can test changing the guacamole timeout setting. It can be applied as described here: https://docs.goauthentik.io/add-secure-apps/providers/rac/#connection-settings.
From what I understand, this timeout relates to how long Guacamole waits for a connection response from the RDP server, not to the idle time of an established session.
Nevertheless, I tested this by adding the setting in the Provider. It did not resolve the issue; the connection still reconnects when there is no activity.