This is a known issue as mentioned in: https://help.rallydev.com/microsoft-tfs-work-items-installation-user-guide
Let us explain this in more details:
When any of the CA connectors run, the first thing they do is encrypt the login credentials in the configuration file (or YML file ). This is done by using a cryptographic key specific to the machine the connector is running on, and a "salt" value that contains the HASH value of the current config file. So, whenever you change the config file. The old encryption will no longer run. This is a protection mechanism to prevent unauthorized changes to the config file.
In order to "Authorize" the changes, you have to re-enter the un-encrypted credentials by wiping out all the text between the > and <\ symbols and replacing it with the credential needed.
For instance, you would replace:
For YML file
You would replace:
Password : encoded-W-V-A-L-Z-U-5-a-b-k-Y-=-
Password : theRealPassword
Then, save the config (or YML) file and run the connector again.