asp.net membership - DNN (DotNetNuke) - Password reset stored in PasswordHistory table, not aspnet_Membership -

i have dnn site running dnn 7.04.00 (353). not able reset passwords on site. if utilize built-in password reset functionality can receive password reset email link. click link, enter email address , new password. no matter keep getting error states, "your new password not accepted security reasons. please make sure choose password not match used password , long , complex enough meet sites password complexity requirements."

here's what's weird it, entering strong password has never been used before. when this, can see following things happen:

• password reset link sent password token. can see same token in "users" table.
• i follow link. attempt reset password using valid , not used password. no matter what, receive error above.
• the users.passwordresettoken column value reset. users.passwordrestexpiration set null. tells me i've used token , no longer valid.
• here's what's strange... aspnet_membership.password hash value never changed... okay makes since, couldn't change password. however, have new entry in passwordhistory table. value here hashed, looks reset password entered stored in passwordhistory table... new password did not stored in aspnet_membership table.

no matter password isn't accepted, it's stored in passwordhistory table. have idea cause this? few notes may help:

• users register accounts on site via custom registration module, not default dnn registration module.
• in dnn web.config have following settings
  • passwordstrengthregularexpression non-existent, have removed web.config troubleshooting.
  • enablepasswordreset true
  • requirequestionandanswer true
  • passwordformat hashed

thank help.

looking @ core code (usercontroller.changepasswordbytoken()), appears password history check happens before password validation. history check adds attempted password history. might possible if password doesn't meet validation rules, add history without changing it.

in host > host settings > advanced settings > membership management, can disable history unchecking "enable password history".

but need focus on password validation because appears failing. consists of 3 attributes of aspnetsqlmembershipprovider in web.config:

• minrequiredpasswordlength
• minrequirednonalphanumericcharacters
• passwordstrengthregularexpression

like mentioned, passwordstrengthregularexpression empty or missing should not of concern. make sure password entering meets minimum character length in minrequiredpasswordlength , contains number of non-alphanumeric characters required minrequirednonalphanumericcharacters.

here snippet of code i'm using register new user:

newuser = new userinfo(); newuser.portalid = this.portalid; newuser.issuperuser = false; newuser.firstname = txtfirstname.text; newuser.lastname = txtlastname.text; newuser.displayname = txtfirstname.text + " " + txtlastname.text; newuser.email = txtemailaddress.text.trim(); newuser.username = txtemailaddress.text.trim(); newuser.lastipaddress = request.userhostaddress; newuser.profile.profileproperties["companyname"].propertyvalue = txtcompanyname.text; newuser.profile.profileproperties["addressline1"].propertyvalue = txtaddressline1.text; newuser.profile.profileproperties["addressline2"].propertyvalue = txtaddressline2.text; newuser.profile.city = txtcity.text; newuser.profile.profileproperties["state"].propertyvalue = ddlstate.selectedvalue; newuser.profile.postalcode = wmezipcode.text.trim().trimend('-'); newuser.profile.telephone = wmephonenumber.text; if (lblwmephonenumberextension.text.trim().compareto(string.empty) != 0) {      newuser.profile.profileproperties["telephoneextension"].propertyvalue = wmephonenumberextension.text; }  var newmembership = new usermembership(newuser); newmembership.approved = true; newmembership.createddate = datetime.now; newmembership.isonline = false; newmembership.password = txtpassword.text; newmembership.passwordquestion = ddlsecurityquestion.selectedvalue; newmembership.passwordanswer = txtsecurityquestionanswer.text; newuser.membership = newmembership;  usercreatestatus userstatus = membershipprovider.createuser(ref newuser);