Does ucr get kerberos/realm really yield lower-case phiku.de instread of PHIKU.DE? 'cause Kerberos is case-sensitive, and your keytab contains keys in the expected upper case.
However, the error message would be different if the requested ID used lower case:
[0 root@master ~] kinit -t /etc/simplesamlphp.keytab HTTP/ucs-sso.mbu-test.intranet@MBU-TEST.INTRANET
[0 root@master ~] kdestroy
[0 root@master ~] kinit -t /etc/simplesamlphp.keytab HTTP/ucs-sso.mbu-test.intranet@mbu-test.intranet
kinit: krb5_init_creds_set_keytab: Failed to find HTTP/ucs-sso.mbu-test.intranet@mbu-test.intranet in keytab FILE:/etc/simplesamlphp.keytab (unknown enctype)
It’s possible that the key version in the exported key tab is too old (meaning that a newer version is present on the KDC). Please execute the following & post the output:
univention-s4search --cross-ncs "(|(userPrincipalName=HTTP/ucs-sso.$(ucr get domainname)@$(ucr get kerberos/realm))(cn=ucs-sso))" | ldapsearch-wrapper
univention-s4search --cross-ncs "(|(userPrincipalName=HTTP/ucs-sso.$(ucr get domainname)@$(ucr get kerberos/realm))(cn=ucs-sso))" msDS-KeyVersionNumber
samba-tool domain exportkeytab ucs-sso.keytab --principal HTTP/ucs-sso.$(ucr get domainname)@$(ucr get kerberos/realm)
ktutil -k ucs-sso.keytab list
kinit -t ucs-sso.keytab HTTP/ucs-sso.$(ucr get domainname)@$(ucr get kerberos/realm)
Be sure to clean up afterwards:
kdestroy
rm ucs-sso.keytab