Say you have a user with no password question and answer. It turns out that calling ResetPassword() on that user will throw an exception. There’s an overload that takes password answer as a parameter, which also throws an exception if the wrong answer is provided.
The way to get around this issue for me turned out to be changing “requiresQuestionAndAnswer” to “false” in the membership provider configuration.