"Users who submit valid credentials might be notified that they do not have permissions. If this occurs, the portalsuperuseraccount property and the portalsuperreaderaccount property of the Web application were probably configured prior to migration. If this is the case, you must update the portalsuperuseraccount property and the portalsuperreaderaccount property to use the new claims-based account name. After migration, you can find the new claims-based account name in the Web application policy for the migrated Web application"
$wa = Get-SPWebApplication -Identity "WebAppUrl"
$wa.Properties["portalsuperuseraccount"] = "domain\user"
$wa.Properties["portalsuperreaderaccount"] = "domain\user"$wa.Update()
Update: Why we need to configure?
By default, the Portal Super User account is the site’s System Account, and the Portal Super Reader account is NT Authority\Local Service.
NT Authority\Local Service is not correctly resolved in a claims authentication application. As a result, if the Portal Super Reader account is not explicitly configured for a claims authentication application, browsing to site collections under this application will result in an “Access Denied” error, even for the site administrator. This error will occur on any site that uses any feature that explicitly uses the object cache, such as the SharePoint Server Publishing Infrastructure, metadata navigation, the Content Query Web Part, or navigation.