After getting a few random reports of users getting a 403, and having to refresh the page. Or being prompted with a login box I've started digging into my ULS logs and can see quite a few Claims problems.
The Event viewer is reporting loads of 8306 -
The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs.
Here's some of what I can see in ULS
SPFederationAuthenticationModule.IsRedirectToLogOnPage: This is a 302 redirect to /_login/default.aspx?ReturnUrl=%2fsites%12345%2f_vti_bin%2fCopy.asmx
SPSecurityContext: Could not retrieve a valid windows identity for username 'domain\user' with UPN 'Trevor.Sheader@DeepSeaPLC.local'. UPN is required when Kerberos constrained delegation is used. Exception: System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: WTS0003: The caller is not authorized to access the service. (Fault Detail is equal to An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is: System.UnauthorizedAccessException: WTS0003: The caller is not authorized to access the service. at Microsoft.IdentityModel.WindowsTokenService.CallerSecurity.CheckCaller(WindowsIdentity callerIdentity) at Microsoft.IdentityModel.WindowsTokenService.S4UServiceContract.PerformLogon(Func`1 logonOperation, Int32 pid) at SyncInvokeUpnLogon(Object , Object[] , Object[] ) at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs) at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc) at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc& rpc) at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet))..
Claims Windows Sign-In: Sending 401 for request 'https://site/site/_vti_bin/Dws.asmx' because the user is not authenticated and resource requires authentication.
I've searched for the errors and tried a few things...
Correct services are running.
Patched to Nov CU
SuperUser and SuperReader Accounts configured