Prior to 2.8.1 the hostname, username and password were pushed to the TL client when you opened the RDP session. With 2.8.1 the password is not part of the information pushed to the TL client. Instead the TL client will request the password from PAM when it is needed.
If the TL client cannot open a HTTPS session to PAM it cannot fetch the password and you will see it as being stuck at the password field.
If you connect to PAM via a NAT'ted firewall with port mapping, this will not work. The TL client will use the browser address when connecting to PAM. Only the hostname is used but not any port number. The port number is fixed if you connect to PAM using anything but 443, the TL client will not fetch the password fetch.
Furthermore, then the connection from the TL client is opened it opens an HTTPS connection. If the PAM server certificate cannot be verified then the connection will not be established and the password is not fetched. On your jump server (where the TL client is running) validate that you can open a browser to PAM without any warnings or errors. If there are anything about a untrusted connection or a certificate validation warning, then the TL client will not work.