diff --git a/client/X11/xf_client.c b/client/X11/xf_client.c
index 3f056210e..0c164106f 100644
--- a/client/X11/xf_client.c
+++ b/client/X11/xf_client.c
@@ -1528,11 +1528,30 @@ void* xf_client_thread(void* param)
 
 	xfc = (xfContext*) instance->context;
 
-	/* Connection succeeded. --authonly ? */
-	if (instance->settings->AuthenticationOnly || !status)
+	/* --authonly ? */
+	if (instance->settings->AuthenticationOnly)
 	{
 		WLog_ERR(TAG, "Authentication only, exit status %d", !status);
-		exit_code = XF_EXIT_CONN_FAILED;
+		if (!status)
+		{
+			if (freerdp_get_last_error(instance->context) == FREERDP_ERROR_AUTHENTICATION_FAILED)
+				exit_code = XF_EXIT_AUTH_FAILURE;
+			else
+				exit_code = XF_EXIT_CONN_FAILED;
+		}
+		else
+			exit_code = XF_EXIT_SUCCESS;
+		goto disconnect;
+	}
+
+	if (!status)
+	{
+		WLog_ERR(TAG, "Freerdp connect error exit status %d", !status);
+		exit_code = freerdp_error_info(instance);
+		if (freerdp_get_last_error(instance->context) == FREERDP_ERROR_AUTHENTICATION_FAILED)
+			exit_code = XF_EXIT_AUTH_FAILURE;
+		else
+			exit_code = XF_EXIT_CONN_FAILED;
 		goto disconnect;
 	}
 
@@ -1643,7 +1662,7 @@ disconnect:
 
 DWORD xf_exit_code_from_disconnect_reason(DWORD reason)
 {
-	if (reason == 0 || (reason >= XF_EXIT_PARSE_ARGUMENTS && reason <= XF_EXIT_CONN_FAILED))
+	if (reason == 0 || (reason >= XF_EXIT_PARSE_ARGUMENTS && reason <= XF_EXIT_AUTH_FAILURE))
 		return reason;
 	/* License error set */
 	else if (reason >= 0x100 && reason <= 0x10A)
diff --git a/client/X11/xfreerdp.h b/client/X11/xfreerdp.h
index a885536c7..d59ae1ebf 100644
--- a/client/X11/xfreerdp.h
+++ b/client/X11/xfreerdp.h
@@ -275,6 +275,7 @@ enum XF_EXIT_CODE
 	XF_EXIT_MEMORY = 129,
 	XF_EXIT_PROTOCOL = 130,
 	XF_EXIT_CONN_FAILED = 131,
+	XF_EXIT_AUTH_FAILURE = 132,
 
 	XF_EXIT_UNKNOWN = 255,
 };
diff --git a/libfreerdp/core/connection.c b/libfreerdp/core/connection.c
index 295ed9907..5047aadfe 100644
--- a/libfreerdp/core/connection.c
+++ b/libfreerdp/core/connection.c
@@ -301,7 +301,6 @@ BOOL rdp_client_connect(rdpRdp* rdp)
 		{
 			if (!freerdp_get_last_error(rdp->context))
 				freerdp_set_last_error(rdp->context, FREERDP_ERROR_CONNECT_TRANSPORT_FAILED);
-
 			return FALSE;
 		}
 	}
diff --git a/libfreerdp/core/transport.c b/libfreerdp/core/transport.c
index 0e358cc87..0d132fe73 100644
--- a/libfreerdp/core/transport.c
+++ b/libfreerdp/core/transport.c
@@ -58,6 +58,18 @@
 
 static void* transport_client_thread(void* arg);
 
+
+static void transport_ssl_cb(SSL* ssl, int where, int ret)
+{
+	rdpTransport *transport;
+	if ((where | SSL_CB_ALERT) && (ret == 561))
+	{
+		transport = (rdpTransport *) SSL_get_app_data(ssl);
+		if (!freerdp_get_last_error(transport->context))
+			freerdp_set_last_error(transport->context, FREERDP_ERROR_AUTHENTICATION_FAILED);
+	}
+}
+
 wStream* transport_send_stream_init(rdpTransport* transport, int size)
 {
 	wStream* s;
@@ -146,6 +158,9 @@ BOOL transport_connect_tls(rdpTransport* transport)
 
 	transport->frontBio = tls->bio;
 
+	BIO_callback_ctrl(tls->bio, BIO_CTRL_SET_CALLBACK, (bio_info_cb*) transport_ssl_cb);
+	SSL_set_app_data(tls->ssl, transport);
+
 	if (!transport->frontBio)
 	{
 		WLog_ERR(TAG, "unable to prepend a filtering TLS bio");