Wow this was a fun issue. A web application using Claims-based authentication started giving access denied errors to ALL users after setting the values of the PortalSuperUserAccount and PortalSuperReaderAccount properties of the web application.
I won’t write much because it’s all explained in this excellent blog post by Andras Gaal.
Essentially, if you setup the accounts and give them permission via Web App Policy – you have to assign the account values using the Claims ID (i:0#.w|domain\user), NOT the (domain\user) NTLM ID.
To set the properties, use PowerShell!
$webapp = Get-SPWebApplication http://webappurl $webapp.Properties["portalsuperuseraccount"] = "<claimsId> $webapp.Properties["portalsuperreaderaccount"] = <claimsId> $webapp.Update()